Validating SAML signatures

Max Spicer max.spicer at
Mon Nov 29 15:10:22 UTC 2021

Thanks, both. That wiki page was very helpful and with a bit of
experimentation I was able to verify the AuthnRequest signature with the
following command:

xmlsec1 --verify --pubkey-cert-pem old.pem --id-attr:ID
urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest authnrequest.xml

Satisfyingly, and as expected, verification fails using the key contained
in their metadata.

I'm sadly aware that this is likely a waste of time. Nevertheless, I can
now make one last attempt to explain the issue to the SP in a way that they
can verify themselves. After that, I shall simply ignore their request to
update their metadata and/or configure the IdP to ignore their signed authn



On Mon, 29 Nov 2021 at 13:51, Peter Schober <peter.schober at>

> * Max Spicer via users <users at> [2021-11-29 14:17]:
> > I have verified that our IdP successfully validates the signature in the
> > authn requests when it has the correct key, and fails when given the
> "new"
> > key. Can anyone recommend a tool / process to reproduce these results
> > outside of the IdP?
> FWIW, this wiki page documents a few tools to validate signatures with:
> -peter
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list