SAML service provider signature verification

312 views Asked by At

This is a basic question about SAML protocol and how it specifies verification of a SAML token.

Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token. I am interested in clarifying step 5 (Request the Assertion Consumer Service at the SP) from wikiSAMPL_wiki. Mainly token verification is done on Service Provider without additional calls to IdP.
Token validation consists of the 3 steps:
1.Verify token is well-formed
2.Verify token is coming from the intended authority
3.Verify token is meant for the current application

Is this assumption right ?

1

There are 1 answers

0
Andrew K. On BEST ANSWER

From a very high level, yes, your three steps are correct.

More specific:

1 will include decoding the base64 encoded response, checking against schema, etc.

2 will be done via signature validation, checking the authority, seeing if it's a response to a sent AuthnRequest and matching it, etc.

3 comes from checking the relay state and ensuring that it is a location that is "protected" by the service provider