OpenSAML how to check if SAML Response (signature/cert) is really from my IDP?

Question

Hello I have this XML as a SAML2 Response from my IDP:

  <Assertion ID="_97031c65-0139-4047-a416-9495df5d6ed7"
    IssueInstant="2016-10-26T07:45:43.438Z" Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>
    </Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod
                Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_97031c65-0139-4047-a416-9495df5d6ed7">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>
                  KMaF...
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
          FHdZ....
        </ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
                <X509Certificate>
                  MII....
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </ds:Signature>
    ....

Now i want to check if the Response is a valid response from my IDP. How can this be done? (I am using OpenSAML 3.x java) Is it enough just to do a string comparison on the signature and the cert?

I also have a MetadataDocument.XML with the credential info from my IDP (Azure).

Related:
SAML 2.0 - How to verify the sender certificate?

OpenSAML (2.0) Signature validation not working

Answer 1

First things first :

Don't roll your own SAML implementation . There are just too many things you can get wrong that it's not worth the risk. I don't know if I can stress this enough. Use an open source, well known and tested implementation like Shibboleth SP or simplesamlphp

Warning above aside, and assuming you are doing this for your own understanding and not as part of a product/service that will be available to anyone but you:

The way to check that the response comes from your IDP is to check the the Digital Signature. For that, you must use the Public Key of the IDP (that is contained in the IDP certificate which you know from the IDPs metadata) in order to verify the Digital Signature. Please read about Digital Signatures, Digital Signature verification to understand what needs to be done and why. Then you can proceed on the how to do it by reading the Official Documetnation. Some notes:

• Don't trust the certificate that comes with the SAML Assertion. This is there just for the case you know multiple certs for a given Relying Party and you need to select the one that applies to the specific SAML conversation.
• You can't do String comparison on the Signature. You cannot compute the same Signature as you don't have the Private Key that the IdP used to create it.