Federation : SAMLResponse X509Data and Signature relationship
search cancel

Federation : SAMLResponse X509Data and Signature relationship


Article ID: 226117


Updated On:


CA Single Sign On Federation (SiteMinder) SITEMINDER


When running Federation Services, what is the usage of SignatureValue and X509Certificate from a SAMLResponse ?



At first glance, these are to sign and validate the signature the xml document which forms the SAMLResponse.

This preserves the integrity of the SAMLResponse XML document.

The X509Certificate is the IdP certificate that the SP site has in its configuration.

It will be used to verify the SignatureValue to insure that the SAMLResponse XML document comes from the IdP and thus the
document can be trusted and that the SAMLResponse XML document hasn't been modified since it has been signed.

The SP side will use the Certificate public key it has stored in its metadata to validate the X509Certificate value and the SignatureValue as described in the documentation (1).

Further description of signature (2), the X509Data (3), and the relationship between the X509Data element and the signature (4) (5).


Additional Information



    Signing and Verification Operations

The Policy Server uses a private key/certificate pair for signing and verification tasks. The private key/certificate pair signs the assertion, the assertion response, or authentication request. The specific message that is signed depends on the transaction taking place and the federation profile in use.

Before any signing transaction, the partner signing the assertion sends the certificate (public key) associated with the private key/certificate pair to the partner. This exchange is done as part of an out-of-band communication. The partner uses the certificate to verify the signature.

When a transaction occurs, the asserting party includes the certificate in the assertion, by default. During the verification process, however, the partner uses the certificate that it stores at its site to validate the signature.



4.3 The SignatureValue Element

The SignatureValue element contains the actual value of the digital signature; it is always encoded using base64 [RFC2045].



4.5.4 The X509Data Element

The X509Certificate element, which contains a base64-encoded [X509V3] certificate



SAML 2.0 x509 Certificate and Signature value?

The SignatureValue should be the real calculated digital signature value, base 64 encoded. X509Certificate is also the base 64 encoded signing certificate.



Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)

When the SP gets a SAML response from the IdP via the browser, it must verify that the signature it gets comes from an IdP it knows and what signed using the IdP's private key; this signature can be verified against the IdP's public key in the certificate configured in the metadata.