Validating SAML signatures
Max Spicer
max.spicer at york.ac.uk
Mon Nov 29 15:10:22 UTC 2021
Thanks, both. That wiki page was very helpful and with a bit of
experimentation I was able to verify the AuthnRequest signature with the
following command:
xmlsec1 --verify --pubkey-cert-pem old.pem --id-attr:ID
urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest authnrequest.xml
Satisfyingly, and as expected, verification fails using the key contained
in their metadata.
I'm sadly aware that this is likely a waste of time. Nevertheless, I can
now make one last attempt to explain the issue to the SP in a way that they
can verify themselves. After that, I shall simply ignore their request to
update their metadata and/or configure the IdP to ignore their signed authn
requests.
Cheers,
Max
On Mon, 29 Nov 2021 at 13:51, Peter Schober <peter.schober at univie.ac.at>
wrote:
> * Max Spicer via users <users at shibboleth.net> [2021-11-29 14:17]:
> > I have verified that our IdP successfully validates the signature in the
> > authn requests when it has the correct key, and fails when given the
> "new"
> > key. Can anyone recommend a tool / process to reproduce these results
> > outside of the IdP?
>
> FWIW, this wiki page documents a few tools to validate signatures with:
>
> https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645443/MetadataCorrectness#MetadataCorrectness-SignatureVerification
>
> -peter
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211129/6219b4d5/attachment.htm>
More information about the users
mailing list