Geek Answers Handbook

How to create a signed AuthNRequest?

I interact with IDP and have a basic AuthNRequest created as follows:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="IDTest1" Version="2.0" IssueInstant="2013-03-04T09:21:59" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="0"> <saml:Issuer>https://myapp.com/saml2/sp</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest>

IDP wants me to send the request as a signed one. My questions:

  • How to set digest value?
  • How to set Signature value?
  • For the x509 certificate, I set the public key of my application. Correctly?
  • What is the data used to calculate any of the values? Is this my original auth request without a Signature element?
+8
x509certificate signing saml
source share
6 answers

If you embed your own queries without any large frameworks, I can recommend OpenSAML. His library will help in building SAML messages.

In my book OpenSAML Handbook , this and more is explained in detail.

EDIT I ​​have released a new new version of the book covering OpenSAML V3

Here is an example that I wrote when signing SAML messages

And one on how to submit AuthnRequests.

+4
source share

Just note that many of them are described in the documentation:

SAML metadata .

To have a signed request, you need to add something like this (usually in sp.xml):

 <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

The signature key will look something like this:

 <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIIDWTC...CAkGgAwIBAgIEe+a+/uaSZCp5g2z+hRWRV+DyfQc9nO </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor>

where MII ... is the public key.

As with @Stefan, it is much easier to use the library.

+3
source share

SAML authentication request is an XML document. You can sign a SAML authentication request in the same way that you sign any other XML document. However, there are some limitations:

  • Signature must be sealed.
  • Before it is digested, the SAML authentication request must not be converted by a method other than the converted signature conversion and the exclusive canonicalization conversion.
  • The Signature element must contain only one reference element.
  • The URI of the single reference element must contain the value of the ID attribute attribute of the signed SAML authentication request.
  • Before it is signed, the SignedInfo element must be canonized using the exclusive canonization method.

You can find out more in the SAML specification and protocols ( http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf ) in section 5.

+3
source share

Well, with regard to security, it is never easy ... you clearly define the documentation. Associated with @nzpcmad, as well as SAML2 profiles (find the WB web browser peer address).

For Java, OpenSaml really is one of the easiest solutions.

+1
source share

The trap seems to be that with HTTP redirecting, signature binding is carried by additional URL parameters, and not part of the SAMLRequest value, for example. https://my-idp.com/login?SAMLRequest=nVNN...%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=QZ64...% 3D% 3D

0
source share

Your question is inadequate!

The AuthRequest request you send looks like a REDIRECT , where you will not see the digest, signature and certificate, since all this data will be in the URL as a parameter.

Try using the POST SSO request, where you will see the digest, signature and certificate for SAML request.

Some of the points:

Are common

  • Both IdP and SP should share their Metadata , which will have their own basic configuration, such as id, signature algorithm, hash method, public key, etc.
  • So, based on the contract between Idp, you should hash and sign your request in your preferred programming language.

SP:

  • You must encrypt using the public key.
  • You must sing using your private key.
  • You must encode your request using Base64.

Idp:

  • They will identify using the public key in the request.
  • They will respond with encrypted and signed xml.
  • You must decrypt and cancel the answer.

Quick links

0
source share

More articles:


All Articles