samlsaml-2.0xml-signatureopensaml

Validate signed assertion embedded in SAMLResponse


I work with OpenSaml library, I want to validate signed assertion (XML Signature) embedded in SAMLResponse that is not signed. Always the validation fail, there are a way to validate the signed assertion without his parent (Response) ? Or, another another way to do it ?


Solution

  • The problem here that when I sign the assertion, the id of the signature is referenced to the Response and not to the assertion. So, I fix this by referencing the id of the signature to the assertion and not to the response. see here (page 71, section 5.4.2)

    5.4.2 References
    SAML assertions and protocol messages MUST supply a value for the ID attribute on the root element of
    the assertion or protocol message being signed. The assertion’s or protocol message's root element may
    or may not be the root element of the actual XML document containing the signed assertion or protocol
    message (e.g., it might be contained within a SOAP envelope).
    
    Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
    attribute value of the root element of the assertion or protocol message being signed. For example, if the
    ID attribute value is "foo", then the URI attribute in the <ds:Reference> element MUST be "#foo"