SAML 2.0 was Re: SAML 1.1 help

Kevin Brown kevinbrownbdc at gmail.com
Tue Feb 12 18:55:12 MST 2013 

  So, I got most of SAML1.1 working with the system at work. Turns out 
we have another client that was doing SAML to us, but no one at the site 
new it, heheh. And then the client changed to 2.0, so A) what I had 
gotten working broke, and B) I still can't seem to get the signature 
value to work.

So, to try and help debug the issue (to see if the Canonicalization is 
wrong, or something else) I setup SimpleSAMLphp on my local machine and 
got the SP to talk to an IDP (both hosted in virtualhosts from my copy 
of Apache) and then using that as an example I dug through the code and 
found the areas where it does the signature verification using OpenSSL.

Here's the big oddity. I print to files (via file_put_contents) the 
Canonical XML, the binary signature, the base64 encoded signature and 
the whole SAML Response object from within the SimpleSAMLphp module. 
When I compare the Base64 encoded signature (the one that was decoded 
from the file and then I encoded to write to a file) with what was 
inside the SAML Response, they don't match up. Which makes me wonder why 
that is so. I've checked what the php code is getting back from using 
xpath with what is in the SAML Response and whatever is going on is 
happening right at the moment that php gets the result from 
<SignatureValue></SignatureValue>.

Code that pulls out the SignatureValue
$xpath->evaluate("string(./secdsig:SignatureValue)", $this->sigNode);

Any help in figuring out what this is doing would be great as I really 
would like to get this last step functioning.

> So, new job... I've been tasked with implementing SSO using SAML 1.1. 
> The client provided a document that gives an example of the Response 
> object that will be forwarded into our site when a user goes to login. 
> I'm trying to figure out how to validate the XML that I'm given so 
> that I don't blindly trust that the document hasn't been modified in 
> some way or just faked.
> I have the keys (DigestValue and SignatureValue), but when I try to do 
> a sha1 of the xml (minus all the parts in the <Signature></Signature> 
> section, the hash doesn't match.
> Does anyone have any experience with this that they might be able to 
> point me in the right direction?

More information about the PLUG-discuss mailing list