BTW, did you submit the trusted IdP X509 certificate to the samltool? https://www.samltool.com/validate_response.php
You also probably want to put KeyInfo with X509 cert (or full certs chain) for the private key used for signing into the signature itself. Best, Aleksey > On Jul 2, 2022, at 8:43 PM, Aleksey Sanin <[email protected]> wrote: > > What error(s) do you get from these tools? > > Aleksey > >>> On Jul 2, 2022, at 7:22 PM, Yoann Gini <[email protected]> wrote: >>> >> Hello, >> >> I'm currently evaluating available library to handle SAML signature (IDP >> side, having to sign, others will verify). >> >> So far I'm doing basic testing with xmlsec command line in the following way: >> >> xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID >> "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml >> >> Which seems to works. And which is validated xmlsec using the following >> command: >> >> xmlsec1 --verify --id-attr:ID >> "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-pem public.pem >> signed.xml >> >> However, when I use online tools to confirm the whole SAML things, I get a >> signature error. Both samltool.com and samltest.id fail to valid the >> signature. >> >> The signed SAML Response is available here https://pastebin.com/MgQtpHRJ >> >> The public key used for signing is: >> -----BEGIN PUBLIC KEY----- >> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MHc5AwDkhMjlfXjxDmc >> C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un >> +a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR >> JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO >> QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV >> zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD >> BwIDAQAB >> -----END PUBLIC KEY----- >> >> If you test with samltool, you will need >> — IDP Entity ID: http://127.0.0.1:8080/saml/sso >> — SP Entity ID: https://samltest.id/saml/sp >> — SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST >> — Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST >> >> My question is about difference between "normal" XML Signature and signature >> in the context of SAML. >> >> Does someone on this list can tell me if there is some specificities in the >> signature of SAML that I've missed? >> >> Considering the sample content, if someone knowledgeable in SAML signed >> response has the time, is there an obvious mistake here? >> >> Best regards, >> Yoann Gini >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
