How to validate a SAML signature value

前端 未结 2 1388
孤街浪徒
孤街浪徒 2021-02-01 10:34

I have a customer who is sending a Security key. The encryption they are using is triple DES. Every Assertion they send has a signature value which needs to be validated to give

相关标签:
2条回答
  • 2021-02-01 11:12

    If you want to validate the signature on the SAML Assertion or any of the Signable XML Objects, the OpenSAML WIKI has more information:

    https://wiki.shibboleth.net/confluence/plugins/viewsource/viewpagesrc.action?pageId=3277047

    You can look for 'Signature Verification Examples'.

    This blog post also has an example as well:

    http://mylifewithjava.blogspot.com/2012/11/verifying-signatures-with-opensaml.html

    To obtain a 'credential' for validation, see here: http://mylifewithjava.blogspot.com/2011/03/getting-credentials-in-opensaml.html

    For info on how to unmarshal XML into an Open SAML object, see here: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaCreateFromXML

    0 讨论(0)
  • 2021-02-01 11:14

    Encryption and signing are two different animals. Triple DES is a symmetric key method (same key used for encryption and decryption). Digital signatures, on the other hand, use asymmetric keys (private/public key pair), where the signature is computed using the private key, and can be validated using the public key. So if your customer wants to include signatures in XML they send you, then they need to provide you with their public key.

    For encryption, what is typical in SAML is to use XMLEncryption, which defines an XML format for including encryption key information and encrypted data in your SAML messages. Since exchange of a static symmetric key is problematic -- if it's intercepted, the interceptor can both encrypt and decrypt any messages -- what can be done instead is to use a dynamic symmetric key that gets generated anew for each message, encrypt the message using the key, then encrypt that key with the public key of a private/public encryption key pair and send it along with the message. The encrypted symmetric key can only be decrypted using the private half of the key pair used to encrypt it.

    So the most significant difference here, from a key perspective, is that for signing, the customer holds the private key and must share the public key with you, while for encryption, you hold the private key and must share the public key with the customer.

    0 讨论(0)
提交回复
热议问题