'Re: Validating SAML signatures'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Validating SAML signatures
From:       Max Spicer via users <users () shibboleth ! net>
Date:       2021-11-29 15:10:22
Message-ID: CABbdpz9aV3cwPHEkOdcD0d6DdkNwJiuDCKh3y3EUWwAOj48NTQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks, both. That wiki page was very helpful and with a bit of
experimentation I was able to verify the AuthnRequest signature with the
following command:

xmlsec1 --verify --pubkey-cert-pem old.pem --id-attr:ID
urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest authnrequest.xml

Satisfyingly, and as expected, verification fails using the key contained
in their metadata.

I'm sadly aware that this is likely a waste of time. Nevertheless, I can
now make one last attempt to explain the issue to the SP in a way that they
can verify themselves. After that, I shall simply ignore their request to
update their metadata and/or configure the IdP to ignore their signed authn
requests.

Cheers,

Max

On Mon, 29 Nov 2021 at 13:51, Peter Schober <peter.schober@univie.ac.at>
wrote:

> * Max Spicer via users <users@shibboleth.net> [2021-11-29 14:17]:
> > I have verified that our IdP successfully validates the signature in the
> > authn requests when it has the correct key, and fails when given the
> "new"
> > key. Can anyone recommend a tool / process to reproduce these results
> > outside of the IdP?
> 
> FWIW, this wiki page documents a few tools to validate signatures with:
> 
> https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645443/MetadataCorrectness#MetadataCorrectness-SignatureVerification
>  
> -peter
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe@shibboleth.net
> 


[Attachment #5 (text/html)]

<div dir="ltr"><div dir="ltr">Thanks, both. That wiki page was very helpful and with \
a bit of experimentation I was able to verify the  AuthnRequest signature with the \
following command:<div><br>xmlsec1 --verify --pubkey-cert-pem old.pem --id-attr:ID \
urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest \
authnrequest.xml</div><div><br></div><div>Satisfyingly, and as expected, verification \
fails  using the key contained in their metadata.<br><br>I&#39;m sadly aware that \
this is likely a waste of time. Nevertheless, I can now make one last attempt to \
explain the issue to the SP in a way that they can verify themselves. After that, I \
shall simply  ignore their request to update their metadata and/or configure the IdP \
to ignore their signed authn \
requests.</div><div><br></div><div>Cheers,</div><div><br></div><div>Max</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 29 Nov 2021 at 13:51, \
Peter Schober &lt;<a href="mailto:peter.schober@univie.ac.at" \
target="_blank">peter.schober@univie.ac.at</a>&gt; wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">* Max Spicer via users &lt;<a \
href="mailto:users@shibboleth.net" target="_blank">users@shibboleth.net</a>&gt; \
[2021-11-29 14:17]:<br> &gt; I have verified that our IdP successfully validates the \
signature in the<br> &gt; authn requests when it has the correct key, and fails when \
given the &quot;new&quot;<br> &gt; key. Can anyone recommend a tool / process to \
reproduce these results<br> &gt; outside of the IdP?<br>
<br>
FWIW, this wiki page documents a few tools to validate signatures with:<br>
<a href="https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645443/MetadataCorrectness#MetadataCorrectness-SignatureVerification" \
rel="noreferrer" target="_blank">https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/ \
pages/928645443/MetadataCorrectness#MetadataCorrectness-SignatureVerification</a><br> \
                <br>
-peter<br>
-- <br>
For Consortium Member technical support, see <a \
href="https://shibboleth.atlassian.net/wiki/x/ZYEpPw" rel="noreferrer" \
target="_blank">https://shibboleth.atlassian.net/wiki/x/ZYEpPw</a><br> To unsubscribe \
from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" \
target="_blank">users-unsubscribe@shibboleth.net</a><br> \
</blockquote></div><div><br></div> </div>



-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic