TechQA.

How to verify ADFS SAML login Response signature In python?

643 views Asked by At

I got SAML Response from ADFS through HTTP-Redirect and I am receiving following request parameter while redirect

SAMLResponse=urlencode(base64.encode(deflate(data)))&signature=signdata&sigAlg=sha256

I can able to decrypt data and read claims but I can't verify signature

Can someone explain me the steps how to verify signature against the saml response?

If it is python it would be great

SAMLResponse=nVdZk6NIDv4rjtq39VRzG3BUdQQGjMH44D5eNrgvc5jk9K9fqqqrp3t6YqJ3H6VIfZI+paTMF+CVt2arRqCpKxCtRO716T8wHcQoFhHPMOGTz3iwgZ8pAl5EzyNwMsZQAt08rcyoBVldvT6hX+CnlQhAH4kV6LyqW1Qwijwj6DNM6Qi5xfAtDH/ZwLD7tOIi0GWV171bpl3XgC0EgS55LoMiir6UWRXe6iQLvnhNA3l9l0JvYvW0Yt/ie8Pu22pbeyAD28orI7Dtgq3GnOTtEsY2+Di07SvQREEWZ1G4hFZ9pqfXr0/ljQx9IoqfA4SInnEcwZ7pYIkWx0nfoyOKCijsaTWVtwps38n5Z49NW3d1UN+evr68U9B+mP6zkQdA1L5R8PT1jYKFgTIGXz4YCOoS8sIYQMuRIQsiAHVtD7oX6AP+68tHxbTO63rws8TWYbQyvVsf/bN78H56q/XBAg+eVtDXF+hnVL4K2rnpopD5jPR/TOtliqpg+x2G8zpvpc9N9FHzJeFxHL+M2Je6TSAUhhEIxqHFw2L0L/4WlUsNP2vwBvQbVn9xuQRxirq0DlfMLanbrEvL3wDxIoASm+fAD95JOUazWMX1Z+p/aw5DMP1mHoIseQsi+jPpxfxbDr+T9o+2/1/0LfCeay9qnsskRpoFj8uSpdt+E+mnREDqIR/34teYvvPy9SUEW5uA6ffqfmQa/i5P30w/LrUWtZl3+4vyvNyvr+z59d8/D4U/Vhfjb3Svp0UhvylW4pn9YyW/OnXreyt5UXt/rLRXlvljxb4a2gv0q5dPxx9xnPvSXxoNoVAKoTEapWmEJGl6QyM4vFnmBY1ucIykMZLaYMuc22A0jcEk8R34J5S/uPvMFPqBukX6zmi0ZbMmjdoP/af03tNfD0SRGrXgKIqxLor5NECNax54A0pYDsVmkBVhf9qIdJ4U196p1RASzaCF4FN6ajkRMUPr2nA5Le7j9U6CyOyUJANeRTDhIL1wtW5amML9DT+0dkY5jTtBWoBvNn2WwrZ6Zi1Tc8D00IUutG4YHqBqF7GIeOnDdBJRu/RdiUkQJJfhoEVtWC9Cz0DuDtFxoJMxNQFWbvjHq6DKpyF1+Qge9wo5xpiu2LhYcI289yp5g4lKljDZ/pbvN3mDcX6WNZWBBDgr7mW2xB5td4yj1B+8c3TcF2B9Kk7KKBGCwxFlHORjfSr1/FKGWlo2kTQns1xGDDa1HtwJ6qQQGHa57usWM9V079QSz7y+vl3yH3n+U/5WnZ97+sdyvY+cH8/+oPgAu98ot8pbH6v4YAjqc++ziWrthm7WUPwAJJ267OjwlmXKTERc6KIcNh5j5LEmrObsQ+S6kEdawTnztLnvUHQ+1vuFNYlN4xbm7hwwlmso9jf6lF0idOgyU5DL3Fbu9KkCPITDd06QdH7g9DuqtT1P9kI6mBuo6qWhGzYLoemo77jwLseo0GHYrgx3elKuOdXV5+4UtMlxeHDyWqccpXi0J4U6JaT0AIFuBmx/yPe7AxwyNhNUhzp8iOeLTwqZR6i17ln4la1BSBMuJbCFROq0vS7z8K45dMM4kodAyCkUgD1E3SFaG0YbzhiFwWlAjrsOGrl1gF7wu7AGIUlp0TXPM/m6awnqbLdQnlXFgzWPuc1NPAeZ1hW/PyLLEKqAYnon87LysNbJ+HAbZM/GRn0GpVS6VMcafMTEpDddgdgau10wjEIybMQRpxz0oJ4EKCn4FhlZTo509gQ3s09xLS4ncnI/onsST1mmNrumMwllXQ0PaA9UokUHk6oeoq3AB1T0oH4WNOAM/Np/eIGqcQczAqnIX62rOV1SShMPJ02FCsl/qK5Lei5QCApS7nLNzXzJ2Nopv6ni1CS3O12tXeR+WVolzUoUOu8NUud1/pHoO6G9Hk9lUPKsCu+NA2nRk8hjNt6Mh6zMrYOPSgdBPVvimuUtf1Yi3Z+0mc7jxDck3t24xaXK3aMBsAhBZMI8CEQz9SJybuBguCh8vYE4UmYtRQeWcAxKyiDXNwbM+QRZg01b6yhBnGPmctCAInEy3Bl8cpmix4pCOWDUyCBHayMcIVWd2tmuUzXSJoPLD5xMTH0crR3riE16jRjuYKGJvex8fXanbgONpeAlQuJAtjyLDcldiuRi+oTAxAisWYfqPpetLAVtrLqsBIVtkOhWfqVU57BjpBg50NJGepCNQDfEpcAcx/eNHo8sJGmXunKYdM3ArtLJJddOKfszuS/rPGcND5k0bCwtsXXOOF/VOUkJVOrucwD5WShreJebfM1grJmOJBgeSpsPg7WGRKMqhTu8Xl63V1sWk1v+KGKTqNOevIGbEKrQfmZ6Uk3LdV0RM4bW1E1Tz4EBZ7O9ltiAJtYQY/pK65/r+bi+hUbIIfdCDCiWrAXE4mzQOzYlW4+87BJvGdSSY1cBf7yaaeI4eRjvVE9JbhdbwLGHvREM6szursGVAbbmImolbvrRVxXggLtGWIVIrPWI04I8QqXOFKZT3Z2z4lDIBnvGshHkuIn6jV1pczyfAWzEWUey5DoiJ3hObuqDO1uKyQvgPHLhfkPm5FBqPl6LSHVPTzlYWCD6x30f2kQ083lF+KljILhGXwyqPx7NmdjzddMHNOP5PSn3OzwyOioe5ApvAUsfEMhptH3ZjcUUnq+RYmvTUbalnc9e4aw3iKGItWXNDeys348HaCPgRyTcgCuJbCjlNB+HCAeFjnkWcJi9R57qwXTHeM93ySALAYKeMjkTb4rhULcUIzUnb80buc9qPT3YEuZ7HXSBsbiQQLnXlrWUJwvXRuHnw91Kamd2HtakQZguC1m8pqW4uqhu4LctKCLfQrJu0gdu2i+dLGOYDe+nFj+UFieliY5SNj1gFMTcryYpj9WBnW0BJg82qIyILaNJ6YoHj5CK5xLmST32RdJafIqv90m8jL2p2WEIAWmy74kKOp6uZyWx8CH0kBSBN3NaUkpphQ+01YbNsbSpwz2Cy3KCJuXez0zG4+rDvUj8YNK8LBil2HCaj/mqmYuUHN7Vercker3z6JjJiYZSUq5V9Eh6rcfpmEvsO75Rz93Z13b9YO5zZxfS55lnivPyFeCateswE36J/eTUuY+xwqid6ME5cewrnWW8DSe52XV5PuwGbz+P9vvS/WVV/qT6tnp//UYsyl9/J98/MJ8/va//BQ==

SigAlg = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Signature = gwTQM9St1EnHg0CC0aEuKTHWf8tJvyHcMTHchpymMmPJuV2l/hkmS57phozphajxHZzOW4ynx/dlJWXLvIEqziRLtCoiWRH1/pzpcJsBC2Mm9RH/WrWHhITIedjS4SMiVdi9Ud6ibHO+5n7eB05cBlhhMMvtMrUPrDo2C4itF2/TBSz8YGNWOTrAGu/6WEwBPzPxpu+P1yyUL4lDcFtWN1O4PL357xgSVo5q8vV8cQoOc6UeKRzznQEQOoU9kchKI8DhDwxu/VPZRrDXLiRe07yDO+XMIiDNluBZ9UThJHGsAEcTWaiJBzxUiXtzutIOj+0UNr8aD65Yzk0eQ3PIIQ==

SAMLResponse=pVJNb8IwDP0rVe5pmrQUiEqlCS5I22UgDrtMIXVGtDbp6nTaz18/xqRx4LJbnu1nv2enQNXUrXwGbL1DiPa7DXnV+mwWaX6mKhcpzfJc0VWeZ3TFU7OEM+RZdibRCTq03m2IiBMS7RF72DsMyoUhlAhOkzUV66NIpMhkmsQZX76QaAcYrFNhYl5CaFEy1uh3gLixrqr9m9Wxalum+nBhI3Qk2o7axr5956RXaFE61QDKoOXh4elRDhKknotk77AFbY2FapDlrtaOfkOammtuTEp5rgXl3GjKjVhQvhScVzzjXACJvpraoZwWc39i2/ngta9JWUz2u5l6n6QQoRvtk3K0P7o3WlUGrQvx8Iy179p43oj2DRtTbKB8Wg3IQtdjKNg8rizm6x2CCj3+RVtfQXRSdQ/35eBU/fMBKujIP9t89MOBd+Cm7bOyYLfdbkK/8Hqn8hs=&Signature =kJvFbnKgsY+qCGvG/WI0S0vmNJoRtaKWllzMDuXiD+0qlWM4V/ZETRPlBrpm6NWmvdrr4PsxavHv7H6PmQkZDyeGYw9MxrwnJI0dCVtLWsZENQxU8BX2hpPxTv4DGi7Ax4Gz0J+sZiEwbXi8r0OWp36JbK+U0WPklm02CQXxvKQ7AzsdfSHQIRdq8dVrVAkL6ZzGVICpx9xd5Vfsu3ZsjsfTE/8JJ1ON47P94UVndQODI/t+HCSEDD67zWgQRIh2Brk5WWMFG4sEyIR/tirq8JKqZ2RvJIHzvQkWQTjX8eH3oxI3AHviohOrQc1sYIuUhEh1nY01X/cAOgeL1JXSaA==&SigAlg=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

python saml-2.0 adfs2.0
Original Q&A
1

There are 1 answers

4
Timothy Legge On

The easiest answer is to use https://github.com/onelogin/python-saml and simply call the appropriate function. That being said the basic steps are:

  1. concatenate: SAMLResponse= RelayState= (only if it was in the URI) SigAlg=

These should be the original un-decoded URI (exactly as it was sent) seperated by &. For example:

signed = SAMLResponse=babkabdabd&RelayState=/main&SigAlg=http...rsa-sha1

  1. you need to then extract the signature from the URI and assign it to a variable:

sig = base64decode(Sugnature)

Then depending on the SigAlg you need to verify the Signature against the signed data for the algorithim (rsa-sha1 for instance):

This Perl function is reasonably easy to read to see the steps:

https://github.com/perl-net-saml2/perl-Net-SAML2/blob/26c53c1241caf86afc15d33d506c0ab573704fee/lib/Net/SAML2/Binding/Redirect.pm#L170

I could not quickly find the same for the Python library.

You should know however tat while you can use HTTP-Redirect in practice the assertion is normally to large to fit in the URI so it is often done via a HTTP-POST

Tim

Related Questions in PYTHON

Related Questions in SAML-2.0

Related Questions in ADFS2.0

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions