TechQA.

What is the possible value for the Concatenated String for generating SAML Signature

128 views Asked by At 
>   <samlp:LogoutRequest ID="_36167d94-d868-4c04-aee3-8bbd4ed91317"
> Version="2.0" IssueInstant="2017-01-05T16:21:55.704Z"
> Destination="https://werain.me/"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer><NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">4948f6ce-4e3b-4538-b284-1461f9379b48</NameID><samlp:SessionIndex>_eafbb730-b590-0134-a918-00d202739c81</samlp:SessionIndex></samlp:LogoutRequest>

Given my, Logout Request looks like this. If I have to verify the Logout request do I have to construct the string that looks like this (i.e raw string value)

SAMLRequest=<samlp:LogoutRequest ID="_36167d94-d868-4c04-aee3-8bbd4ed91317" ... </samlp:LogoutRequest>&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1

and then verify the signature for the above string or should I encode the SAMLRequest and SigAlg value

i.e 

SAMLRequest=Base64 encode value or raw logout request&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1

Reason for this confusion is SAML spec says extracted from here

A string consisting of the concatenation of the raw, unencoded XML making up the SAML protocol message (NOT the base64-encoded version),

But OneSAML Create a signature with the Base64 encode version of the request (logout request). Have a look at here

Not sure what is the correct implementation I have to use to verify the signature.

NOTE: HTTP-Redirect BINDING.

saml saml-2.0 onelogin
Original Q&A
1

There are 1 answers

0
smartin On

Your link and quote is not related with the HTTP-Redirect binding.

Check the 3.4.4.1 section of https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

Onelogin's SAML toolkits implement signatures following the standard.

You can see for example that the implementation of simpleSAMLphp build the signature on the Redirect binding on the same way: https://github.com/simplesamlphp/saml2/blob/master/src/SAML2/HTTPRedirect.php#L22

Or opensaml https://github.com/apigee/java-opensaml2/blob/master/src/main/java/org/opensaml/saml2/binding/encoding/HTTPRedirectDeflateEncoder.java#L162

You can play signing and validating SAML Messages with: https://www.samltool.com/online_tools.php

Related Questions in SAML

Related Questions in SAML-2.0

Related Questions in ONELOGIN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions