[xmlsec] Difference between signature check for SAML and in the command line?

Sat, 02 Jul 2022 16:23:06 -0700 

Hello,

I'm currently evaluating available library to handle SAML signature (IDP side, 
having to sign, others will verify).

So far I'm doing basic testing with xmlsec command line in the following way:

xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID 
"urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml

Which seems to works. And which is validated xmlsec using the following command:

xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" 
--pubkey-pem public.pem signed.xml

However, when I use online tools to confirm the whole SAML things, I get a 
signature error. Both samltool.com <http://samltool.com/> and samltest.id 
<http://samltest.id/> fail to valid the signature.

The signed SAML Response is available here https://pastebin.com/MgQtpHRJ 
<https://pastebin.com/MgQtpHRJ>

The public key used for signing is:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MHc5AwDkhMjlfXjxDmc
C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un
+a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR
JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO
QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV
zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD
BwIDAQAB
-----END PUBLIC KEY-----

If you test with samltool, you will need
— IDP Entity ID: http://127.0.0.1:8080/saml/sso <http://127.0.0.1:8080/saml/sso>
— SP Entity ID: https://samltest.id/saml/sp <https://samltest.id/saml/sp>
— SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST 
<https://samltest.id/Shibboleth.sso/SAML2/POST>
— Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST 
<https://samltest.id/Shibboleth.sso/SAML2/POST>

My question is about difference between "normal" XML Signature and signature in 
the context of SAML.

Does someone on this list can tell me if there is some specificities in the 
signature of SAML that I've missed? 

Considering the sample content, if someone knowledgeable in SAML signed 
response has the time, is there an obvious mistake here?

Best regards,
Yoann Gini
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to