Hi The SamlResponse does not include a key type or KeyInfo in the document. I tested against perl's XML::Sig and that was the result. It is likely possible to validate if I had the public certificate in PEM format (not the public key itself).
https://www.samltool.com/validate_response.php requires the public certificate to validate against. Tim Timothy Legge [email protected] [email protected] On Sat, Jul 2, 2022 at 8:23 PM Yoann Gini <[email protected]> wrote: > > Hello, > > I'm currently evaluating available library to handle SAML signature (IDP > side, having to sign, others will verify). > > So far I'm doing basic testing with xmlsec command line in the following way: > > xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID > "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml > > Which seems to works. And which is validated xmlsec using the following > command: > > xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" > --pubkey-pem public.pem signed.xml > > However, when I use online tools to confirm the whole SAML things, I get a > signature error. Both samltool.com and samltest.id fail to valid the > signature. > > The signed SAML Response is available here https://pastebin.com/MgQtpHRJ > > The public key used for signing is: > -----BEGIN PUBLIC KEY----- > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MHc5AwDkhMjlfXjxDmc > C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un > +a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR > JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO > QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV > zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD > BwIDAQAB > -----END PUBLIC KEY----- > > If you test with samltool, you will need > — IDP Entity ID: http://127.0.0.1:8080/saml/sso > — SP Entity ID: https://samltest.id/saml/sp > — SP ACS: https://samltest.id/Shibboleth.sso/SAML2/POST > — Target URL: https://samltest.id/Shibboleth.sso/SAML2/POST > > My question is about difference between "normal" XML Signature and signature > in the context of SAML. > > Does someone on this list can tell me if there is some specificities in the > signature of SAML that I've missed? > > Considering the sample content, if someone knowledgeable in SAML signed > response has the time, is there an obvious mistake here? > > Best regards, > Yoann Gini > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
