saml icon indicating copy to clipboard operation
saml copied to clipboard
verified publisher icon crewjam

Implement query signature verification

Open Jguer opened this issue 3 years ago • 2 comments

Hey,

This patch implements:

  • Query signature validation for SLO redirect bindings.

  • Query signing was also slightly refactored to fix the query getting fully signed instead of only the expected req+relay+alg format (also made it easier to implement tests for it)

Section 3.4.4.1 Oasis

  1. To construct the signature, a string consisting of the concatenation of the RelayState (if present), SigAlg, and SAMLRequest (or SAMLResponse) query string parameters (each one URL- encoded) is constructed in one of the following ways (ordered as below):
SAMLRequest=value&RelayState=value&SigAlg=value
SAMLResponse=value&RelayState=value&SigAlg=value
  1. The resulting string of bytes is the octet string to be fed into the signature algorithm. Any other content in the original query string is not included and not signed.

It can probably be adapted for validations in other scenarios.

Please advise on style, structure or other modifications that would help the project

Jguer avatar Jul 21 '22 17:07 Jguer

Hey, @crewjam any blocker into having this merged? I have some time to fix this up if needed

We've been running it in production for a few months now

Jguer avatar Mar 06 '23 13:03 Jguer

I can confirm this does work properly. Also passes verification with this tool (which master does not):

  • sign a login request with the library and validate here: https://www.samltool.com/validate_authn_req.php
  • generate a signed response and have it validated with the library: https://www.samltool.com/sign_response.php

omerkarj avatar Aug 16 '23 09:08 omerkarj