Verifying a SAMLRequest (authnrequest) signature  outside of Single Sign On/Siteminder

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

There is a little bit of extra information in here, but it helps set context in case you have any questions about how to apply this to your environment. The overall process is simple: 

1) Open Fiddler 
2) Submit a signed authnrequest to the IDP 
3) Capture the request query parameters from Fiddler (or siteminder logs) and paste into Notepad 
4) Use a URL Decoder to URL-decode the individual parameter values (no need to decode the SigAlg) 
5) Export the certificate from the Partnership in the WAMUI 
5a) Open the exported .cer file with Notepad and copy all the text 
6) Enter needed values and verify 

Here are the detailed steps: 

Create Partnerships (Prereq create all the required objects too) 
----------------------------------------------------------------- 
IDP2SP 
Signature : 
Signing 
Private Key Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST 
Signing Algorithm: RSAwithSHA1 
Sign ArtifactResponse: Yes 
Artifact Signature Options: Sign Both 
Post Signature Options: Sign Both 
Verification: 
Verification Certificate Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST 
Secondary Verification Certificate Alias: 
Require Signed Authentication Requests: Yes 


SP2IDP 
Signature: 
Signing Private Key Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST 
Signing Algorithm: RSAwithSHA1 
Sign Authentication Requests: Yes 
Verification: 
Verification Certificate Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST 


Open Fiddler 
---------------- 
First 2 transactions see last section in this. 

Run Authn request transaction 
----------------------------- 
http://idp.example.com:88/affwebservices/public/saml2authnrequest?ProviderID=IDPID 

Collect the following request data (From Fiddler or logs) 
--------------------------------------------------------- 
http://idp.example.com:88/affwebservices/public/saml2sso?SAMLRequest=<Encoded_SAML_Request>&RelayState=<RelayState_value>&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=<Signature_value_encoded> 

From the above Request, collect the following 8 values 
------------------------------------------------------- 
1. SAML AuthN Request (EncodedDeflated) 
<Encoded_SAML_Request> 

To decode the URL the following url may be used:http://www.url-encode-decode.com/ 

VALUE 
<Decoded_SAML_Request>

2. SP EntityId 
VALUE 
SPID 

3. Target URL, Destination of the AuthN Request 
VALUE 
http://idp.example.com:88/affwebservices/public/saml2sso 

4. Private Key of the Identity Provider (to decrypt elements) 
Not needed 

5. X.509 cert of the Service Provider (to check Signature) 
As we have signed the authn request with the dsigningcert 
Launch AdminUi 
Navigate to 
Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys > point to dsigningcert1 > from Actions list select export 
Alias : dsigningcertType : Private Key and CertificateFormat : X509-PEM 
Select Export Certificate checkbox 
Click Export button 
Save 
give a name say dsigningcert.cer 
Open the above cer in noetpad copy the contents. 

VALUE 
-----BEGIN CERTIFICATE----- 
<X.509 Signature validdation certificate exported> 
-----END CERTIFICATE----- 

6. Signature of the SAML AuthN Request 
 <Signature_value_encoded> 

Get Decoded URL. A convenient URL which may be used is the following:http://www.url-encode-decode.com/ 
VALUE 
 <Signature_value_decoded>

7. RelayState 
<Relay State value>

8. SigAlg 
http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 

Using Online AuthnRequest Validation tool 
----------------------------------------- 
Open the following online tool : https://www.samltool.com/validate_authn_req.php 
Fill the required values from above values collection section. 
Click : Validate SAML AUTHN REQUEST 
Result : THE SAML AUTHN REQUEST IS VALID 

======================================================================== 
========================================================================