1

Hello I have this XML as a SAML2 Response from my IDP:

  <Assertion ID="_97031c65-0139-4047-a416-9495df5d6ed7"
    IssueInstant="2016-10-26T07:45:43.438Z" Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>
    </Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod
                Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_97031c65-0139-4047-a416-9495df5d6ed7">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>
                  KMaF...
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
          FHdZ....
        </ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
                <X509Certificate>
                  MII....
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </ds:Signature>
    ....

Now i want to check if the Response is a valid response from my IDP. How can this be done? (I am using OpenSAML 3.x java) Is it enough just to do a string comparison on the signature and the cert?

I also have a MetadataDocument.XML with the credential info from my IDP (Azure).

Related:
SAML 2.0 - How to verify the sender certificate?

OpenSAML (2.0) Signature validation not working

Gobliins
  • 3,848
  • 16
  • 67
  • 122

1 Answers1

3

First things first :

Don't roll your own SAML implementation . There are just too many things you can get wrong that it's not worth the risk. I don't know if I can stress this enough. Use an open source, well known and tested implementation like Shibboleth SP or simplesamlphp

Warning above aside, and assuming you are doing this for your own understanding and not as part of a product/service that will be available to anyone but you:

The way to check that the response comes from your IDP is to check the the Digital Signature. For that, you must use the Public Key of the IDP (that is contained in the IDP certificate which you know from the IDPs metadata) in order to verify the Digital Signature. Please read about Digital Signatures, Digital Signature verification to understand what needs to be done and why. Then you can proceed on the how to do it by reading the Official Documetnation. Some notes:

  • Don't trust the certificate that comes with the SAML Assertion. This is there just for the case you know multiple certs for a given Relying Party and you need to select the one that applies to the specific SAML conversation.
  • You can't do String comparison on the Signature. You cannot compute the same Signature as you don't have the Private Key that the IdP used to create it.
Yiannis Kakavas
  • 597
  • 3
  • 9
  • 1
    Hi, i am using OpenSAML for this purpose. I already got a functional login but due to some circumstances and security reasonsn, we need to validate the SAML Response aquired from the login at the IDP not only in our user agent but also on our resource server when a resource is requested. – Gobliins Nov 03 '16 at 11:43
  • The real SAML login is performed by meteor-accounts. Our idea was to send the Response along with the request to our resource server and do the manual OpenSAML validation, to check if the request comes from a trusted source (our user agent). – Gobliins Nov 03 '16 at 11:51
  • I am not sure I follow you. I am not familiar with what meteor-accounts is. To say that the login is functional without checking the signature, is like saying that a username/password login works but you don't check if the password is correct. You would have to edit the original question to include what your setup is and what you want to do, otherwise it's too hard to help you – Yiannis Kakavas Nov 03 '16 at 12:11
  • Maybe i was not clear. The saml login is already done on our userclient (some javascript browser app), there are a couple of libaries form atmospherejs that support complete saml login process this is already done with all checks / encrpytion etc. i was just giving some background info. – Gobliins Nov 03 '16 at 12:22
  • Now the situation is that i have the Response from the IDP (sent from IDP to user agnet after login) and we need to pass it from our user agent to our resource server. Now on the res. server, there is opensaml and we need to verify if the response that is sent by the user agent is a valid response from our idp. – Gobliins Nov 03 '16 at 12:24
  • Ok, so the user is authenticated and the login is completed. Then the SAML response is consumed,validated and the identity of the user is already mapped. I see no point in sending the SAML response somewhere else to be validated once more. What are your "circumstances and security reasons" ? – Yiannis Kakavas Nov 03 '16 at 12:25
  • We need a security layer on our resource server as well, and our idea was instead of just sending a manualy generated apikey i.e., we use the saml response and do a manual validation. – Gobliins Nov 03 '16 at 12:27
  • 1
    So by "The login is completed" you mean that the user is authenticated at the IDP. Well this is half the part of SSO. Now the SP needs to consume the SAML Response and this is JUST as important as the login to the IDP itself. So, my original response stands: Don't do it manually, please use an SP implementation. – Yiannis Kakavas Nov 03 '16 at 12:32
  • So you are saying we shouldn't do the manual verification of cert/signatures and do another saml login? – Gobliins Nov 03 '16 at 12:47
  • There is no "another SAML login". I'm suggesting that you would use a standard implementation to validate the SAML response, instead of what you are trying to do ( Create your own SAML SP implementation based on openSAML). Please take a look also at https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile for an overview of how SAML SSO works – Yiannis Kakavas Nov 03 '16 at 15:04
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/127352/discussion-between-gobliins-and-yiannis-kakavas). – Gobliins Nov 04 '16 at 07:42