How to verify a SAML signature for HTTP-redirect binding

前端未结

关注

 6  1483

生来不讨喜 2020-12-30 09:40

I\'m receiving a SAML request via HTTP-redirect binding the content of the SAML request look like this

{\"SigAlg\"=>\"http://www.w3.org/2000/09/xmldsi

6条回答

太阳男子 (楼主)

2020-12-30 10:40

A SAML 2.0 signature is validated differently depending on the binding (POST or Redirect). If a POST binding is used the signature is validated in the SAML XML. If a Redirect binding is used the query string is validated with the signature.

This LogoutRequest is send with a redirect binding. The following C# sample code is copied from the ITfoxtec.Identity.Saml2 component and show how to validate the signature.

var queryString = request.QueryString;
var signatureValue = Convert.FromBase64String(request.Query["Signature"]);

var messageName = "SAMLRequest";
var signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
var signatureValidationCertificate = new X509Certificate2("path-to-service-provider-x509-certificate");

var saml2Sign = new Saml2SignedText(signatureValidationCertificate, signatureAlgorithm);
if (saml2Sign.CheckSignature(Encoding.UTF8.GetBytes(new RawSaml2QueryString(queryString, messageName).SignedQueryString), signatureValue))
{
    // Signature is valid.
}
else
{
    throw new InvalidSignatureException("Signature is invalid.");
}

Code copied from Saml2RedirectBinding
RawSaml2QueryString
Saml2SignedText

0 讨论(0)

查看其它6个回答