Verifying a SAMLRequest (authnrequest) signature outside of SiteMinder (Single Sign-On)
search cancel

Verifying a SAMLRequest (authnrequest) signature outside of SiteMinder (Single Sign-On)

book

Article ID: 103628

calendar_today

Updated On: 11-05-2024

Products

CA Single Sign-On CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction


How to Verify SAMLRequest Signature outside of SiteMinder (Single Sign-On)?

 

Resolution


There is a little bit of extra information in here, but it helps set the context when having any questions about how to apply the following to the environment.

The overall process is simple:

  1. 1) Open Fiddler;
  2. Submit a signed authnrequest to the IDP;
  3. Capture the request query parameters from Fiddler (or SiteMinder logs) and paste into Notepad;
  4. Use a URL Decoder to URL-decode the individual parameter values (no need to decode the SigAlg);
  5. Export the certificate from the Partnership in the WAMUI;

    Open the exported .cer file with Notepad and copy all the text;

  6. Enter needed values and verify;

Here are the detailed steps:

Create Partnerships (Prereq create all the required objects too)

IDP2SP
Signature :
Signing
Private Key Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST
Signing Algorithm: RSAwithSHA1
Sign ArtifactResponse: Yes
Artifact Signature Options: Sign Both
Post Signature Options: Sign Both
Verification:
Verification Certificate Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Secondary Verification Certificate Alias:
Require Signed Authentication Requests: Yes

SP2IDP
Signature:
Signing Private Key Alias: dsigningcert Expires on: Nov 17, 2025 07:48 AM EST
Signing Algorithm: RSAwithSHA1
Sign Authentication Requests: Yes
Verification:
Verification Certificate Alias: encryptioncert Expires on: Nov 17, 2025 07:52 AM EST


Open Fiddler

First 2 transactions see the last section in this.

 

Run Authn request transaction

 

http://idp.example.com:88/affwebservices/public/saml2authnrequest?ProviderID=IDPID

 

Collect the following request data (From Fiddler or logs)

http://idp.example.com:88/affwebservices/public/saml2sso?SAMLRequest=<Encoded_SAML_Request>&RelayState=<RelayState_value>&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=<Signature_value_encoded>

 

From the above Request, collect the following 8 values

 

  1. SAML AuthN Request (EncodedDeflated)

    <Encoded_SAML_Request>

    To decode the URL with the referenced link (1).

    VALUE
    <Decoded_SAML_Request>

  2. SP EntityId

    VALUE
    SPID

  3. Target URL, Destination of the AuthN Request

    VALUE
    http://idp.example.com:88/affwebservices/public/saml2sso
  4. Private Key of the Identity Provider (to decrypt elements)
    Not needed

  5. X.509 cert of the Service Provider (to check Signature)

    As the authnrequest has been signed with the dsigningcert

    Launch AdminUi
    Navigate to Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys > point to dsigningcert1 > from Actions list select export
    Alias : dsigningcertType : Private Key and CertificateFormat : X509-PEM
    Select Export Certificate checkbox
    Click Export button
    Save
    give a name say dsigningcert.cer
    Open the above cer in noetpad copy the contents.

    VALUE
    -----BEGIN CERTIFICATE-----
    <X.509 Signature validdation certificate exported>
    -----END CERTIFICATE-----

  6. Signature of the SAML AuthN Request

    <Signature_value_encoded>

    Get Decoded URL. A convenient URL which may be used for this (1).

    VALUE
    <Signature_value_decoded>

  7. RelayState

    <Relay State value>
  8. SigAlg 
    http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1

Using Online AuthnRequest Validation tool (2)


Fill the required values from above values collection section.
Click : Validate SAML AUTHN REQUEST
Result : THE SAML AUTHN REQUEST IS VALID

 

Additional Information

Powered by Wolken Software