How to Verify SAMLRequest Signature
search cancel

How to Verify SAMLRequest Signature

book

Article ID: 103628

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On CA Single Sign On Federation (SiteMinder)

Issue/Introduction

How can a SAMLRequest (authnrequest) signature be verified outside of Single Sign On/Siteminder?

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

There is a little bit of extra information in here, but it helps set context in case you have any questions about how to apply this to your environment. The overall process is simple: 

1) Open Fiddler 
2) Submit a signed authnrequest to the IDP 
3) Capture the request query parameters from Fiddler and paste into Notepad 
4) Use a URL Decoder to URL-decode the individual parameter values (no need to decode the SigAlg) 
5) Export the certificate from the Partnership in the WAMUI 
5a) Open the exported .cer file with Notepad and copy all the text 
6) Enter needed values and verify 

Here are the detailed steps: 

Create Partnerships (Prereq create all the required objects too) 
----------------------------------------------------------------- 
IDP2SP 
Signature : 
Signing 
Private Key Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST 
Signing Algorithm: RSAwithSHA1 
Sign ArtifactResponse: Yes 
Artifact Signature Options: Sign Both 
Post Signature Options: Sign Both 
Verification: 
Verification Certificate Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST 
Secondary Verification Certificate Alias: 
Require Signed Authentication Requests: Yes 


SP2IDP 
Signature: 
Signing Private Key Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST 
Signing Algorithm: RSAwithSHA1 
Sign Authentication Requests: Yes 
Verification: 
Verification Certificate Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST 


Open Fiddler 
---------------- 
First 2 transactions see last section in this. 

Run Authn request transaction 
----------------------------- 
http://wa.cons.com:88/affwebservices/public/saml2authnrequest?ProviderID=IDPID 

Collect the following request data (From Fiddler or logs) 
--------------------------------------------------------- 
http://wa.prod.com:88/affwebservices/public/saml2sso?SAMLRequest=fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh%2BG9N%2B%2FNlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi%2B0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP%2FFQSGdJ8nIPXp2DYl%2FZH41rwLnLY52pD8Pbq2yyTc35I84etE9%2FGwQsEbnJXUg1Y9ofWmpL9%2FUH8A&RelayState=712c896f6b6bcc3fbc10b081852dc8ce2c697de1&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=fpbisgTQBX%2BwYT4CzP0Aygym2pw1A%2BFKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV%2B181c103WXbM%2FmxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ%3D 

From the above Request, collect the following 8 values 
------------------------------------------------------- 
1. SAML AuthN Request (EncodedDeflated) 
fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh%2BG9N%2B%2FNlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi%2B0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP%2FFQSGdJ8nIPXp2DYl%2FZH41rwLnLY52pD8Pbq2yyTc35I84etE9%2FGwQsEbnJXUg1Y9ofWmpL9%2FUH8A 

Get Decoded URL I used the following url :http://www.url-encode-decode.com

VALUE 
fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh+G9N+/NlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi+0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP/FQSGdJ8nIPXp2DYl/ZH41rwLnLY52pD8Pbq2yyTc35I84etE9/GwQsEbnJXUg1Y9ofWmpL9/UH8A 

2. SP EntityId 
VALUE 
SPID 

3. Target URL, Destination of the AuthN Request 
VALUE 
http://wa.prod.com:88/affwebservices/public/saml2sso 

4. Private Key of the Identity Provider (to decrypt elements) 
Not needed 

5. X.509 cert of the Service Provider (to check Signature) 
As we have signed the authn request with the dsigningcert 
Launch AdminUi 
Navigate to 
Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys > point to dsigningcert > from Actions list select export 
Alias : dsigningcertType : Private Key and CertificateFormat : X509-PEM 
Select Export Certificate checkbox 
Click Export button 
Save 
give a name say dsigningcert.cer 
Open the above cer in notpad copy the contents. 

VALUE 
-----BEGIN CERTIFICATE----- 
MIICjTCCAfYCCQDgnUOZXG0p0DANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UE 
BhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcTCkZyYW1p 
bmdoYW0xCzAJBgNVBAoTAkNBMQswCQYDVQQLEwJRQTEPMA0GA1UEAxMGQ0FS 
b290MSAwHgYJKoZIhvcNAQkBFhFqdW5rQG1hcGxlLmNhLmNvbTAeFw0xNTEx 
MjAxMjQ4NTZaFw0yNTExMTcxMjQ4NTZaMIGNMQswCQYDVQQGEwJVUzEWMBQG 
A1UECBMNTWFzc2FjaHVzZXR0czETMBEGA1UEBxMKRnJhbWluZ2hhbTELMAkG 
A1UEChMCQ0ExCzAJBgNVBAsTAlFBMRUwEwYDVQQDEwxEc2lnbmluZ0NlcnQx 
IDAeBgkqhkiG9w0BCQEWEWp1bmtAbWFwbGUuY2EuY29tMIGfMA0GCSqGSIb3 
DQEBAQUAA4GNADCBiQKBgQDT9q7IzLGhpMVu3LmlQC/E2ans+OWNXx6HVr4R 
tzmH3npeHJTVfX0cfsn/mZK7LPHY1nonf692NiqolK4mLZ/W720TkhITlVNr 
tvvKQx3Icr7yrIIc0R3qtGitHu5Uyt8d6iHqzTrqcaweJGnJikyprvagK2IK 
0yP75+VdJNB7WQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAL1HVyaSAtJhoQMY 
SbwVsmaquY33/Z+YTBcjn+oL3erHBNKiT7+ETv5Qcs68h6b6qcbZ31SEWoBU 
wSGQD9Myn6m+cqowrn8HeuUNGJm6JDq+Bp1szwA3H6MD6wOUcU/J3Z6D3nah 
nIOpzKmAw13Yb+ss/nucD9O2rUjyG08a265F 
-----END CERTIFICATE----- 

6. Signature of the SAML AuthN Request 
fpbisgTQBX%2BwYT4CzP0Aygym2pw1A%2BFKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV%2B181c103WXbM%2FmxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ%3D 

Get Decoded URL I used the following url :http://www.url-encode-decode.com
VALUE 
fpbisgTQBX+wYT4CzP0Aygym2pw1A+FKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV+181c103WXbM/mxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ= 

7. RelayState 
712c896f6b6bcc3fbc10b081852dc8ce2c697de1 

8. SigAlg 
http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 

Using Online AuthnRequest Validation tool 
----------------------------------------- 
Open the following online tool : https://www.samltool.com/validate_authn_req.php 
Fill the required values from above values collection section. 
Click : Validate SAML AUTHN REQUEST 
Result : THE SAML AUTHN REQUEST IS VALID 

======================================================================== 
========================================================================