How to Verify SAMLRequest Signature
Article ID: 103628
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign-On
CA Single Sign On Federation (SiteMinder)
Issue/Introduction
How can a SAMLRequest (authnrequest) signature be verified outside of Single Sign On/Siteminder?
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
Component:
Resolution
There is a little bit of extra information in here, but it helps set context in case you have any questions about how to apply this to your environment. The overall process is simple:
1) Open Fiddler
2) Submit a signed authnrequest to the IDP
3) Capture the request query parameters from Fiddler and paste into Notepad
4) Use a URL Decoder to URL-decode the individual parameter values (no need to decode the SigAlg)
5) Export the certificate from the Partnership in the WAMUI
5a) Open the exported .cer file with Notepad and copy all the text
6) Enter needed values and verify
Here are the detailed steps:
Create Partnerships (Prereq create all the required objects too)
-----------------------------------------------------------------
IDP2SP
Signature :
Signing
Private Key Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST
Signing Algorithm: RSAwithSHA1
Sign ArtifactResponse: Yes
Artifact Signature Options: Sign Both
Post Signature Options: Sign Both
Verification:
Verification Certificate Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Secondary Verification Certificate Alias:
Require Signed Authentication Requests: Yes
SP2IDP
Signature:
Signing Private Key Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Signing Algorithm: RSAwithSHA1
Sign Authentication Requests: Yes
Verification:
Verification Certificate Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST
Open Fiddler
----------------
First 2 transactions see last section in this.
Run Authn request transaction
-----------------------------
http://wa.cons.com:88/affwebservices/public/saml2authnrequest?ProviderID=IDPID
Collect the following request data (From Fiddler or logs)
---------------------------------------------------------
http://wa.prod.com:88/affwebservices/public/saml2sso?SAMLRequest=fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh%2BG9N%2B%2FNlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi%2B0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP%2FFQSGdJ8nIPXp2DYl%2FZH41rwLnLY52pD8Pbq2yyTc35I84etE9%2FGwQsEbnJXUg1Y9ofWmpL9%2FUH8A&RelayState=712c896f6b6bcc3fbc10b081852dc8ce2c697de1&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=fpbisgTQBX%2BwYT4CzP0Aygym2pw1A%2BFKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV%2B181c103WXbM%2FmxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ%3D
From the above Request, collect the following 8 values
-------------------------------------------------------
1. SAML AuthN Request (EncodedDeflated)
fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh%2BG9N%2B%2FNlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi%2B0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP%2FFQSGdJ8nIPXp2DYl%2FZH41rwLnLY52pD8Pbq2yyTc35I84etE9%2FGwQsEbnJXUg1Y9ofWmpL9%2FUH8A
Get Decoded URL I used the following url :http://www.url-encode-decode.com/
VALUE
fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh+G9N+/NlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi+0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP/FQSGdJ8nIPXp2DYl/ZH41rwLnLY52pD8Pbq2yyTc35I84etE9/GwQsEbnJXUg1Y9ofWmpL9/UH8A
2. SP EntityId
VALUE
SPID
3. Target URL, Destination of the AuthN Request
VALUE
http://wa.prod.com:88/affwebservices/public/saml2sso
4. Private Key of the Identity Provider (to decrypt elements)
Not needed
5. X.509 cert of the Service Provider (to check Signature)
As we have signed the authn request with the dsigningcert
Launch AdminUi
Navigate to
Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys > point to dsigningcert > from Actions list select export
Alias : dsigningcertType : Private Key and CertificateFormat : X509-PEM
Select Export Certificate checkbox
Click Export button
Save
give a name say dsigningcert.cer
Open the above cer in notpad copy the contents.
VALUE
-----BEGIN CERTIFICATE-----
MIICjTCCAfYCCQDgnUOZXG0p0DANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UE
BhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcTCkZyYW1p
bmdoYW0xCzAJBgNVBAoTAkNBMQswCQYDVQQLEwJRQTEPMA0GA1UEAxMGQ0FS
b290MSAwHgYJKoZIhvcNAQkBFhFqdW5rQG1hcGxlLmNhLmNvbTAeFw0xNTEx
MjAxMjQ4NTZaFw0yNTExMTcxMjQ4NTZaMIGNMQswCQYDVQQGEwJVUzEWMBQG
A1UECBMNTWFzc2FjaHVzZXR0czETMBEGA1UEBxMKRnJhbWluZ2hhbTELMAkG
A1UEChMCQ0ExCzAJBgNVBAsTAlFBMRUwEwYDVQQDEwxEc2lnbmluZ0NlcnQx
IDAeBgkqhkiG9w0BCQEWEWp1bmtAbWFwbGUuY2EuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDT9q7IzLGhpMVu3LmlQC/E2ans+OWNXx6HVr4R
tzmH3npeHJTVfX0cfsn/mZK7LPHY1nonf692NiqolK4mLZ/W720TkhITlVNr
tvvKQx3Icr7yrIIc0R3qtGitHu5Uyt8d6iHqzTrqcaweJGnJikyprvagK2IK
0yP75+VdJNB7WQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAL1HVyaSAtJhoQMY
SbwVsmaquY33/Z+YTBcjn+oL3erHBNKiT7+ETv5Qcs68h6b6qcbZ31SEWoBU
wSGQD9Myn6m+cqowrn8HeuUNGJm6JDq+Bp1szwA3H6MD6wOUcU/J3Z6D3nah
nIOpzKmAw13Yb+ss/nucD9O2rUjyG08a265F
-----END CERTIFICATE-----
6. Signature of the SAML AuthN Request
fpbisgTQBX%2BwYT4CzP0Aygym2pw1A%2BFKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV%2B181c103WXbM%2FmxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ%3D
Get Decoded URL I used the following url :http://www.url-encode-decode.com/
VALUE
fpbisgTQBX+wYT4CzP0Aygym2pw1A+FKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV+181c103WXbM/mxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ=
7. RelayState
712c896f6b6bcc3fbc10b081852dc8ce2c697de1
8. SigAlg
http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Using Online AuthnRequest Validation tool
-----------------------------------------
Open the following online tool : https://www.samltool.com/validate_authn_req.php
Fill the required values from above values collection section.
Click : Validate SAML AUTHN REQUEST
Result : THE SAML AUTHN REQUEST IS VALID
========================================================================
========================================================================
1) Open Fiddler
2) Submit a signed authnrequest to the IDP
3) Capture the request query parameters from Fiddler and paste into Notepad
4) Use a URL Decoder to URL-decode the individual parameter values (no need to decode the SigAlg)
5) Export the certificate from the Partnership in the WAMUI
5a) Open the exported .cer file with Notepad and copy all the text
6) Enter needed values and verify
Here are the detailed steps:
Create Partnerships (Prereq create all the required objects too)
-----------------------------------------------------------------
IDP2SP
Signature :
Signing
Private Key Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST
Signing Algorithm: RSAwithSHA1
Sign ArtifactResponse: Yes
Artifact Signature Options: Sign Both
Post Signature Options: Sign Both
Verification:
Verification Certificate Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Secondary Verification Certificate Alias:
Require Signed Authentication Requests: Yes
SP2IDP
Signature:
Signing Private Key Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Signing Algorithm: RSAwithSHA1
Sign Authentication Requests: Yes
Verification:
Verification Certificate Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST
Open Fiddler
----------------
First 2 transactions see last section in this.
Run Authn request transaction
-----------------------------
http://wa.cons.com:88/affwebservices/public/saml2authnrequest?ProviderID=IDPID
Collect the following request data (From Fiddler or logs)
---------------------------------------------------------
http://wa.prod.com:88/affwebservices/public/saml2sso?SAMLRequest=fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh%2BG9N%2B%2FNlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi%2B0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP%2FFQSGdJ8nIPXp2DYl%2FZH41rwLnLY52pD8Pbq2yyTc35I84etE9%2FGwQsEbnJXUg1Y9ofWmpL9%2FUH8A&RelayState=712c896f6b6bcc3fbc10b081852dc8ce2c697de1&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=fpbisgTQBX%2BwYT4CzP0Aygym2pw1A%2BFKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV%2B181c103WXbM%2FmxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ%3D
From the above Request, collect the following 8 values
-------------------------------------------------------
1. SAML AuthN Request (EncodedDeflated)
fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh%2BG9N%2B%2FNlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi%2B0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP%2FFQSGdJ8nIPXp2DYl%2FZH41rwLnLY52pD8Pbq2yyTc35I84etE9%2FGwQsEbnJXUg1Y9ofWmpL9%2FUH8A
Get Decoded URL I used the following url :http://www.url-encode-decode.com/
VALUE
fVHBSsQwEL3vV5Tc2yRtt7sObWGhCAWVxRUPXiRNUzbQJrWTuPr3xiroRecwh+G9N+/NlAfvzuZevXiFLmpC00Y4bU1Fzs7NQOlFJPNi+0TaCfZ7KobhojpUy6uWCunsu1FLimIaU0RLorapyLMYOpb2eTZIKTvWqSJUILKcZTvOWFHst0WAInrVGnTCuIqkjO9ilsVp9sBzyLfAr55I9KgWXN2kCSPR2zQarIhfDFiBGsGISSE4CafD7Q0EDASvzko7knoThSoNclgXLV9sCIP/FQSGdJ8nIPXp2DYl/ZH41rwLnLY52pD8Pbq2yyTc35I84etE9/GwQsEbnJXUg1Y9ofWmpL9/UH8A
2. SP EntityId
VALUE
SPID
3. Target URL, Destination of the AuthN Request
VALUE
http://wa.prod.com:88/affwebservices/public/saml2sso
4. Private Key of the Identity Provider (to decrypt elements)
Not needed
5. X.509 cert of the Service Provider (to check Signature)
As we have signed the authn request with the dsigningcert
Launch AdminUi
Navigate to
Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys > point to dsigningcert > from Actions list select export
Alias : dsigningcertType : Private Key and CertificateFormat : X509-PEM
Select Export Certificate checkbox
Click Export button
Save
give a name say dsigningcert.cer
Open the above cer in notpad copy the contents.
VALUE
-----BEGIN CERTIFICATE-----
MIICjTCCAfYCCQDgnUOZXG0p0DANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UE
BhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcTCkZyYW1p
bmdoYW0xCzAJBgNVBAoTAkNBMQswCQYDVQQLEwJRQTEPMA0GA1UEAxMGQ0FS
b290MSAwHgYJKoZIhvcNAQkBFhFqdW5rQG1hcGxlLmNhLmNvbTAeFw0xNTEx
MjAxMjQ4NTZaFw0yNTExMTcxMjQ4NTZaMIGNMQswCQYDVQQGEwJVUzEWMBQG
A1UECBMNTWFzc2FjaHVzZXR0czETMBEGA1UEBxMKRnJhbWluZ2hhbTELMAkG
A1UEChMCQ0ExCzAJBgNVBAsTAlFBMRUwEwYDVQQDEwxEc2lnbmluZ0NlcnQx
IDAeBgkqhkiG9w0BCQEWEWp1bmtAbWFwbGUuY2EuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDT9q7IzLGhpMVu3LmlQC/E2ans+OWNXx6HVr4R
tzmH3npeHJTVfX0cfsn/mZK7LPHY1nonf692NiqolK4mLZ/W720TkhITlVNr
tvvKQx3Icr7yrIIc0R3qtGitHu5Uyt8d6iHqzTrqcaweJGnJikyprvagK2IK
0yP75+VdJNB7WQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAL1HVyaSAtJhoQMY
SbwVsmaquY33/Z+YTBcjn+oL3erHBNKiT7+ETv5Qcs68h6b6qcbZ31SEWoBU
wSGQD9Myn6m+cqowrn8HeuUNGJm6JDq+Bp1szwA3H6MD6wOUcU/J3Z6D3nah
nIOpzKmAw13Yb+ss/nucD9O2rUjyG08a265F
-----END CERTIFICATE-----
6. Signature of the SAML AuthN Request
fpbisgTQBX%2BwYT4CzP0Aygym2pw1A%2BFKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV%2B181c103WXbM%2FmxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ%3D
Get Decoded URL I used the following url :http://www.url-encode-decode.com/
VALUE
fpbisgTQBX+wYT4CzP0Aygym2pw1A+FKQSkiNmVakq6CaW2Xv1GOnVtoEsJrjkhVdbrNEOeemMYo3wojDDQVBtiV+181c103WXbM/mxxzWhgGxKFGqfEansE4bOPT1c7Dhei5r8QqbtSdl3p4Ug1gE8BO0KsIiTpacqmAM5PrmQ=
7. RelayState
712c896f6b6bcc3fbc10b081852dc8ce2c697de1
8. SigAlg
http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Using Online AuthnRequest Validation tool
-----------------------------------------
Open the following online tool : https://www.samltool.com/validate_authn_req.php
Fill the required values from above values collection section.
Click : Validate SAML AUTHN REQUEST
Result : THE SAML AUTHN REQUEST IS VALID
========================================================================
========================================================================
Feedback
Yes
No
Powered by
