IDP signs the SAML Assertion
Ryan Suarez
ryan.suarez at sheridancollege.ca
Tue Jun 9 20:32:29 UTC 2020
On Tue, 2020-06-09 at 16:05 -0400, Lohr, Donald wrote:
Are you able to go in to your identity provider, go to the service provider configuration, and ensure that the IDP signs the SAML Assertion?
How can I actually prove this or not prove it?
Install saml-tracer for chrome or firefox and inspect the SAML assertion. I believe you're looking for the following tags:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><http://www.w3.org/2000/09/xmldsig#>;
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_5419d3961658e78b631941fcfacc9926">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><http://www.w3.org/2001/10/xml-exc-c14n#>;
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>4...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200609/759ecd50/attachment.htm>
More information about the users
mailing list