0

I work as a SP and recently need to integrate with a IDP. In IDP's document, it will send a http post response to me. in the response, there are ds:SignatureValue and ds:X509Certificate. There is a thread like this SAML: Why is the certificate within the Signature?, the thread only answer how to check that the message is from who it says it is.

1) What are meanings of ds:SignatureValue and ds:X509Certificate?

2) How to ensure the response is from my IDP? I mean if hackers know my http post address, they can easily send similar http post request to my application. I found there is a referer in the http request header, is this safe to verify the request from my IDP?

3) IDP asked me to send SP public signing certificates, the format should be a DER encoded binary X.509 (*.CER). How to create the public public signing certifications?

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
  <ds:Reference URI="#_2152811999472b94a0e9644dbc932cc3" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ec:InclusiveNamespaces PrefixList="ds saml samlp xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transform>
   </ds:Transforms>
   <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
   <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">bW1Os7+WykqRt5h0mdv9o3ZF0JI=</ds:DigestValue>
  </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
SignatureValue </ds:SignatureValue>
 <ds:KeyInfo>
  <ds:X509Data>
   <ds:X509Certificate>X509 certification</ds:X509Certificate>
  </ds:X509Data>
 </ds:KeyInfo>
</ds:Signature>
Community
  • 1
  • 1
Study Hard
  • 195
  • 1
  • 11

1 Answers1

1
  1. Both are elements of XML Digital Signature. ds:SignatureValue element contains the actual signature of SAML Response, which is Base64 encoded. ds:X509Certificate element is Signing Certificate (contains public key and other IdP's information), which is Base64 encoded. Check - XML Digital Signature specification for more info.
  2. You might have IdP certificate from its metadata. Use IdP certificate to sign the incoming SAML Response and compare with received ds:SignatureValue from IdP. If these two signature values matches, then you can assured the SAML Response indeed sent by your IdP. Check this code on how to verify the response sent from IdP by SP using OpenSAML implementation. (Note: this is my repo, where I implemented SAML2.0 implementation using OpenSAML).
  3. To generate certificate, various tools and library available. One known tool from Java is Keytool. Check in Google, you will find many tutorials on this.
Zeigeist
  • 3,755
  • 3
  • 20
  • 22
  • @Study Hard: Thank for voting my answer. If this seems correct, please accept it as best answer, so that people find it easy to read the question and its answer. – Zeigeist Jul 27 '16 at 06:41
  • I was wondering how to use IdP certificate to sign the incoming SAML Response and compare with received ds:SignatureValue from IdP. I am using OpenSAML and could get the assertion, and the Signature from the response. – Study Hard Aug 29 '16 at 21:23