SAML 2.0 was Re: SAML 1.1 help
Kevin Brown
kevinbrownbdc at gmail.com
Tue Feb 12 18:55:12 MST 2013
So, I got most of SAML1.1 working with the system at work. Turns out
we have another client that was doing SAML to us, but no one at the site
new it, heheh. And then the client changed to 2.0, so A) what I had
gotten working broke, and B) I still can't seem to get the signature
value to work.
So, to try and help debug the issue (to see if the Canonicalization is
wrong, or something else) I setup SimpleSAMLphp on my local machine and
got the SP to talk to an IDP (both hosted in virtualhosts from my copy
of Apache) and then using that as an example I dug through the code and
found the areas where it does the signature verification using OpenSSL.
Here's the big oddity. I print to files (via file_put_contents) the
Canonical XML, the binary signature, the base64 encoded signature and
the whole SAML Response object from within the SimpleSAMLphp module.
When I compare the Base64 encoded signature (the one that was decoded
from the file and then I encoded to write to a file) with what was
inside the SAML Response, they don't match up. Which makes me wonder why
that is so. I've checked what the php code is getting back from using
xpath with what is in the SAML Response and whatever is going on is
happening right at the moment that php gets the result from
<SignatureValue></SignatureValue>.
Code that pulls out the SignatureValue
$xpath->evaluate("string(./secdsig:SignatureValue)", $this->sigNode);
Any help in figuring out what this is doing would be great as I really
would like to get this last step functioning.
> So, new job... I've been tasked with implementing SSO using SAML 1.1.
> The client provided a document that gives an example of the Response
> object that will be forwarded into our site when a user goes to login.
> I'm trying to figure out how to validate the XML that I'm given so
> that I don't blindly trust that the document hasn't been modified in
> some way or just faked.
> I have the keys (DigestValue and SignatureValue), but when I try to do
> a sha1 of the xml (minus all the parts in the <Signature></Signature>
> section, the hash doesn't match.
> Does anyone have any experience with this that they might be able to
> point me in the right direction?
More information about the PLUG-discuss
mailing list