ComponentSpace

Forums



XML Signatures


XML Signatures

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K

XML signatures may be used to sign SAML messages, assertions and metadata. For example, a SAML response containing a SAML assertion may be signed. Alternatively, just the SAML assertion may be signed.

An XML signature is contained within a <Signature> element within the http://www.w3.org/2000/09/xmldsig# namespace.

An XML signature ensures any changes to the signed XML may be detected and it identifies who signed the XML.

For example, when an SP receives a signed SAML response from an IdP, if the signature verification performed by the SP is successful, then the SP is assured that the SAML response came from the IdP and that it hasn’t been modified after signing. Therefore, having previously established a trust relationship with the IdP, the SP can safely consume the SAML response sent by the IdP.

The following is an example of a signed SAML response. It's been formatted for display purposes.


<samlp:Response ID="_4a27a8e8-444e-461a-93dd-8e28a8171e36" InResponseTo="_84e0406f-f52f-4c3e-a56c-9fb2a7b7afa8" Version="2.0" IssueInstant="2020-05-25T01:38:24.509Z" Destination="https://localhost:44338/SAML/AssertionConsumerService.aspx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://ExampleIdentityProvider">https://ExampleIdentityProvider</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
  <Reference URI="#_4a27a8e8-444e-461a-93dd-8e28a8171e36">
   <Transforms>
    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    <InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </Transform>
   </Transforms>
   <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
   <DigestValue>EcLPpIqsK612XhqilOyVuvSlFQ0hLBLpJzeKpPIDYJA=</DigestValue>
  </Reference>
  </SignedInfo>
  <SignatureValue>HytPX14RZLnFEgZjiGB8cks4MukmoJTiedms7XP3GCYBwz3vYInLJoSmMClV2+6N1mYeOJ/mvfNvUbaHkXXlqY05w1QgE8QVzENQEyhEAe3lHUgQhjPximpyVdb+oLIgW78pcYFNUnQgNjACvcEN4DgTNPnyoczErTV/noJGAVI5BmpaWY3IV92MBSt6czZYruny6iUROap1zVBVyh9dgEEfO5Y6YKPu9kYTJcXdmRVhdxh7j4CdCnNxzgmFDjyOHj1jAE7KaK0HcfLyVay+d339pM4m5E7NZrNOx7eJeFv8DgQeZRyoRXL22RvRf5LvGYoWqCIO4Uln8XDwHXxHlw==</SignatureValue>
  <KeyInfo>
  <X509Data>
   <X509Certificate>MIIDATCCAemgAwIBAgIQdPDr/iI1jbhDMTj5VYya+TANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwt3d3cuaWRwLmNvbTAeFw0xMzExMjIwODIwNTJaFw00OTEyMzExNDAwMDBaMBYxFDASBgNVBAMTC3d3dy5pZHAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi0XJRLDrcbSyqUd8XG4BgxObQMYLAkENlmJOsAEpl1xMabUiq1X4v0Fc8ZaCpUE3fFGENMEWgBjnQUUE0WtVUh5JPMsukolf9qljbJkCkvHXH3O4Uen7vA2oNQWt4bK96SpXADpZKFvpk4D7btKOgU/NamjiqwHI4fI8kFJKwKBJchRPUQdC4ljRRmGIrSnpY+t25/d3KGXwbe9Z2MGGy2hyA0tgOWuchIK+1vAKKBUh9nDEXfr80+xW680w5TqHyDcqbWvQsXXhH0yZLfINKNS6/IojHPsBy7tf36Ck9H5Pw+1PPu6NzBFSz5ZkC8KzrS6vuZXc/ImYrnheMQsqqQIDAQABo0swSTBHBgNVHQEEQDA+gBD4dY4MCPEmG4sxZrcni8vtoRgwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb22CEHTw6/4iNY24QzE4+VWMmvkwDQYJKoZIhvcNAQELBQADggEBABhak2aR84MCdyXO4AKOQvZybsCMdhRq2i1i0WhD4/xe7Ry5haC6TeXIp8Q4cC3MzsrDal74xHI714BW0loafpHAsXfd9EvkKTVaJ+1Zpe16+SsTL4upS1cGydigqwUzsdpGck4wI1moJ9477O+46If2gF27u9Cdk7Onxe/5dwLIxWmkVRdbQIH5GsKUeAjOdRQmy+X1MX6KyRoaCwWGYwxi5Sa+r+3AtDvD4BX0EJGKFZeeM3J/yMpYh/75aN0cFQfDEdJ7C5NE0vonidE0QtIFvsoWtZUtur2fiW7yBxse38TPQsi2r6A6c/TZsZ5bq31yh3gr3kSN62H8iVKLQLA=</X509Certificate>
  </X509Data>
  </KeyInfo>
</Signature>
<samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0" ID="_16bd577e-6740-4e86-891a-2d06bbc409b5" IssueInstant="2020-05-25T01:38:24.511Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Issuer>https://ExampleIdentityProvider">https://ExampleIdentityProvider</saml:Issuer>
  <saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testuser</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
   <saml:SubjectConfirmationData NotOnOrAfter="2020-05-25T01:41:24.512Z" Recipient="https://localhost:44338/SAML/AssertionConsumerService.aspx" InResponseTo="_84e0406f-f52f-4c3e-a56c-9fb2a7b7afa8" />
  </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2020-05-25T01:35:24.511Z" NotOnOrAfter="2020-05-25T01:41:24.511Z">
  <saml:AudienceRestriction>
   <saml:Audience>https://ExampleServiceProvider">https://ExampleServiceProvider</saml:Audience>
  </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2020-05-25T01:38:24.513Z" SessionIndex="_16bd577e-6740-4e86-891a-2d06bbc409b5">
  <saml:AuthnContext>
   <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
  <saml:Attribute Name="Email">
   <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">[email protected]</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="GivenName">
   <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Test</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="FamilyName">
   <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">User</saml:AttributeValue>
  </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

A signer signs with their private key and the verifier verifies with the signer’s public key. For example, the IdP signs the SAML response using the IdP’s private key. The SP verifies the SAML response signature using the IdP’s public key or certificate.



Regards
ComponentSpace Development
ehp77
ehp77
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Forum Members
Posts: 1, Visits: 10
ComponentSpace - 2/20/2014

XML signatures may be used to sign SAML messages, assertions and metadata. For example, a SAML response containing a SAML assertion may be signed. Alternatively, just the SAML assertion may be signed.

An XML signature is contained within a <Signature> element within the http://www.w3.org/2000/09/xmldsig# namespace.

An XML signature ensures any changes to the signed XML may be detected and it identifies who signed the XML.

For example, when an SP receives a signed SAML response from an IdP, if the signature verification performed by the SP is successful, then the SP is assured that the SAML response came from the IdP and that it hasn’t been modified after signing. Therefore, having previously established a trust relationship with the IdP, the SP can safely consume the SAML response sent by the IdP.

The following is an example of a signed SAML response.

https://www.componentspace.com/forums/uploads/images/5dcf1155-d713-41b2-9f31-5f98.png

A signer signs with their private key and the verifier verifies with the signer’s public key. For example, the IdP signs the SAML response using the IdP’s private key. The SP verifies the SAML response signature using the IdP’s public key or certificate.


hello, The sample file is no longer present, can you repost it. Thanks
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The post has been updated with an example of a signed SAML response. Note that this XML has been formatted for display purposes which has invalidated the signature. 

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search