Validating SAML signature in python

Question

I need to implement authentication in python from a 3rd party by using SAML2. I have looked into pysaml2 and found that to be quite confusing, and decided to give M2Crypto a

Answer 1

I faced the same problem, and had to develop a module for it: https://github.com/kislyuk/signxml. I chose to rely only on PyCrypto and pyOpenSSL, since M2Crypto is less popular and not well-maintained, which is a hazard from both compatibility (e.g. PyPy) and security perspectives. I also use lxml for the canonicalization (c14n). From the signxml docs:

from signxml import xmldsig

cert = open("example.pem").read()
key = open("example.key").read()
root = ElementTree.fromstring(data)
xmldsig(root).verify()

Answer 2

You need to canonicalize the signed info before validating the signature. That's what the transformation tag implies. Basically, since the same XML can be formatted differently, one needs to validate an XML signature in a canonical format.