Verifying a SAMLRequest (authnrequest) signature outside of Single Sign On/Siteminder
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
There is a little bit of extra information in here, but it helps set context in case you have any questions about how to apply this to your environment. The overall process is simple:
1) Open Fiddler
2) Submit a signed authnrequest to the IDP
3) Capture the request query parameters from Fiddler (or siteminder logs) and paste into Notepad
4) Use a URL Decoder to URL-decode the individual parameter values (no need to decode the SigAlg)
5) Export the certificate from the Partnership in the WAMUI
5a) Open the exported .cer file with Notepad and copy all the text
6) Enter needed values and verify
Here are the detailed steps:
Create Partnerships (Prereq create all the required objects too)
-----------------------------------------------------------------
IDP2SP
Signature :
Signing
Private Key Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST
Signing Algorithm: RSAwithSHA1
Sign ArtifactResponse: Yes
Artifact Signature Options: Sign Both
Post Signature Options: Sign Both
Verification:
Verification Certificate Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Secondary Verification Certificate Alias:
Require Signed Authentication Requests: Yes
SP2IDP
Signature:
Signing Private Key Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Signing Algorithm: RSAwithSHA1
Sign Authentication Requests: Yes
Verification:
Verification Certificate Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST
Open Fiddler
----------------
First 2 transactions see last section in this.
Run Authn request transaction
-----------------------------
http://idp.example.com:88/affwebservices/public/saml2authnrequest?ProviderID=IDPID
Collect the following request data (From Fiddler or logs)
---------------------------------------------------------
http://idp.example.com:88/affwebservices/public/saml2sso?SAMLRequest=<Encoded_SAML_Request>&RelayState=<RelayState_value>&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=<Signature_value_encoded>
From the above Request, collect the following 8 values
-------------------------------------------------------
1. SAML AuthN Request (EncodedDeflated)
<Encoded_SAML_Request>
To decode the URL the following url may be used:http://www.url-encode-decode.com/
VALUE
<Decoded_SAML_Request>
2. SP EntityId
VALUE
SPID
3. Target URL, Destination of the AuthN Request
VALUE
http://idp.example.com:88/affwebservices/public/saml2sso
4. Private Key of the Identity Provider (to decrypt elements)
Not needed
5. X.509 cert of the Service Provider (to check Signature)
As we have signed the authn request with the dsigningcert
Launch AdminUi
Navigate to
Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys > point to dsigningcert1 > from Actions list select export
Alias : dsigningcertType : Private Key and CertificateFormat : X509-PEM
Select Export Certificate checkbox
Click Export button
Save
give a name say dsigningcert.cer
Open the above cer in noetpad copy the contents.
VALUE
-----BEGIN CERTIFICATE-----
<X.509 Signature validdation certificate exported>
-----END CERTIFICATE-----
6. Signature of the SAML AuthN Request
<Signature_value_encoded>
Get Decoded URL. A convenient URL which may be used is the following:http://www.url-encode-decode.com/
VALUE
<Signature_value_decoded>
7. RelayState
<Relay State value>
8. SigAlg
http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Using Online AuthnRequest Validation tool
-----------------------------------------
Open the following online tool : https://www.samltool.com/validate_authn_req.php
Fill the required values from above values collection section.
Click : Validate SAML AUTHN REQUEST
Result : THE SAML AUTHN REQUEST IS VALID
========================================================================
========================================================================