How to verify a SAML signature for HTTP-redirect binding

Question

I\'m receiving a SAML request via HTTP-redirect binding the content of the SAML request look like this

{\"SigAlg\"=>\"http://www.w3.org/2000/09/xmldsi

Answer 1

One point I would like to add to the above answers: URL encoding/decoding is non-canonical, meaning that every framework/language may in fact have a different way of doing it. I was stuck on verifying an HTTP-Redirect binding for many days, turns out that the Java Play 1.x framework we are using URL decodes things in a different way than the SAML framework expects.

We resolved this issue by instead taking the query parameters directly out of the query string, rather than letting Play framework decode it for us (only for us to need to re-encode it back). So if your code matches Alexandre's but the SAML framework says the signature is invalid, make sure that you're feeding into the algorithm the strings that are directly taken from the URL GET parameters.