ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Federation : SAMLResponse X509Data and Signature relationship

book

Article ID: 226117

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

 

When running Federation Services, what is the usage of SignatureValue
and X509Certificate from a SAMLResponse ?

 

Resolution

 

At first glance, these are to sign and validate the signature the xml
document which forms the SAMLResponse. This preserves the integrity of
the SAMLResponse XML document.

The X509Certificate is the IdP certificate that the SP site has in its
configuration. It will be used to verify the SignatureValue to insure
that the SAMLResponse XML document comes from the IdP and thus the
document can be trusted and that the SAMLResponse XML document hasn't
been modified since it has been signed. The SP side will use the
Certificate public key it has stored in its metadata to validate the
X509Certificate value and the SignatureValue as described in the
documentation (1).

Further description of signature (2), the X509Data (3), and the
relationship between the X509Data element and the signature (4)(5).

 

Additional Information

 

(1)

    Signing and Verification Operations

      The Policy Server uses a private key/certificate pair for signing and
      verification tasks. The private key/certificate pair signs the
      assertion, the assertion response, or authentication request. The
      specific message that is signed depends on the transaction taking
      place and the federation profile in use.

      Before any signing transaction, the partner signing the assertion
      sends the certificate (public key) associated with the private
      key/certificate pair to the partner. This exchange is done as part of
      an out-of-band communication. The partner uses the certificate to
      verify the signature.

      When a transaction occurs, the asserting party includes the
      certificate in the assertion, by default. During the verification
      process, however, the partner uses the certificate that it stores at
      its site to validate the signature.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8.html

(2)


    
    4.3 The SignatureValue Element

      The SignatureValue element contains the actual value of the digital
      signature; it is always encoded using base64 [RFC2045].

    https://www.w3.org/TR/xmldsig-core/#sec-SignatureValue

(3)


    
    4.5.4 The X509Data Element

      The X509Certificate element, which contains a base64-encoded
      [X509V3] certificate

    https://www.w3.org/TR/xmldsig-core/#sec-SignatureValue

(4)


    
    SAML 2.0 x509 Certificate and Signature value?

      the SignatureValue should be the real calculated digital signature
      value, base 64 encoded. X509Certificate is also the base 64 encoded
      signing certificate.

    https://stackoverflow.com/questions/6814462/saml-2-0-x509-certificate-and-signature-value

(5)


    
    Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)

      When the SP gets a SAML response from the IdP via the browser, it
      must verify that the signature it gets comes from an IdP it knows
      and what signed using the IdP's private key; this signature can be
      verified against the IdP's public key in the certificate configured
      in the metadata.

    https://serverfault.com/questions/382966/purpose-of-the-x509-certificate-in-metadata-files-on-the-idp-side-sso-structure