Verify signed LogoutRequest in a SP
https://stackoverflow.com/questions/8149376
-
02-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
I am implementing the SAML2 Single Log Out Protocol.
My Identity Provider uses the HTTP-Redirect binding for sending me the logout requests. The content of this request looks like this:
?SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9el5dVOv2Vf6L1nnTpmdPP%2fvo99%2bd3t%2b5f3BwsJ3t759v7x8c7G5nn%2b5Mth%2fe26f%2f7WXnDyaffpT%2bZF43RbX87KO98c5H6VnTrPOzZdNmy5Y%2b2tnd3cb%2f7r%2fZffBoZ%2ffR3sH44acHP%2fVR%2bpR6KZZZy2%2fO23bVPLp7dzUt2lne7O6Np3m9HE%2fnd4Hb3t3XL1%2bX1at8VtT5tL27yNvsuCyy5m6z%2big9qZZNjr7W9fJRlTVF82iZLfLmUTt99Pr4i%2bePCK1HU2n0aL1sVvm0OC%2fy2Ufpi6r9cvllfXze5nUP1U8F1V1C9d2iXDaPmEqbe1nVVVtNq%2fKjo8dMhlpe3fxS1jR5DTJ8dGTIYAZfVhfF8vFdgXX0%2bAW9e%2fY0fVbVi2zDeHfHu%2fxJMds%2b56aP8kVWlMezWZ03jQ7n1jiV66IZ19WsLi7W%2bQ%2fG54RatpzlP%2fg9FcnHdwWtI2Wj19QHvXhGbd4d%2ff47n%2b4d7O7dP99%2bcP7w%2fvb%2b3nS6nc0O8u3zWX7waZY%2f3JlM8sd3I2%2baDwOuPPp%2fAA%3d%3d&Signature=i1JxpKbaInBXsqTzPwG3E3NIPqCmK4mgLaYgUy%2fraNgscBBLLrQGObKm%2bLIu6Skh7iOb4r39HX6tCsq6p5CO97U7WfCwOnkJpgzAFjA0T9ByAzomh6LIC%2bpXGaINzhw2DPcv4cZYrUoSuEQl0OCaAAtYaarm%2f53qR0DMF5OhZkU%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
Following the Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 I am taking the ?SAMLRequest=value&SigAlg=value string and trying to verify with the Signature=value string. The code (JAVA) that I am using is this:
// Retrieve the public key sent by the IdP
FileInputStream inputStream = new FileInputStream("/path/to/the/idp/sent/public/key");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate certificate = cf.generateCertificate(inputStream);
PublicKey publicKey = certificate.getPublicKey();
// Create the signature
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initVerify(publicKey);
signature.update("SAMLRequest=7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ%2fff%2fz9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfZolw9el5dVOv2Vf6L1nnTpmdPP%2fvo99%2bd3t%2b5f3BwsJ3t759v7x8c7G5nn%2b5Mth%2fe26f%2f7WXnDyaffpT%2bZF43RbX87KO98c5H6VnTrPOzZdNmy5Y%2b2tnd3cb%2f7r%2fZffBoZ%2ffR3sH44acHP%2fVR%2bpR6KZZZy2%2fO23bVPLp7dzUt2lne7O6Np3m9HE%2fnd4Hb3t3XL1%2bX1at8VtT5tL27yNvsuCyy5m6z%2big9qZZNjr7W9fJRlTVF82iZLfLmUTt99Pr4i%2bePCK1HU2n0aL1sVvm0OC%2fy2Ufpi6r9cvllfXze5nUP1U8F1V1C9d2iXDaPmEqbe1nVVVtNq%2fKjo8dMhlpe3fxS1jR5DTJ8dGTIYAZfVhfF8vFdgXX0%2bAW9e%2fY0fVbVi2zDeHfHu%2fxJMds%2b56aP8kVWlMezWZ03jQ7n1jiV66IZ19WsLi7W%2bQ%2fG54RatpzlP%2fg9FcnHdwWtI2Wj19QHvXhGbd4d%2ff47n%2b4d7O7dP99%2bcP7w%2fvb%2b3nS6nc0O8u3zWX7waZY%2f3JlM8sd3I2%2baDwOuPPp%2fAA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256".getBytes());
// Verify
if (signature.verify((new BASE64Decoder()).decodeBuffer("i1JxpKbaInBXsqTzPwG3E3NIPqCmK4mgLaYgUy%2fraNgscBBLLrQGObKm%2bLIu6Skh7iOb4r39HX6tCsq6p5CO97U7WfCwOnkJpgzAFjA0T9ByAzomh6LIC%2bpXGaINzhw2DPcv4cZYrUoSuEQl0OCaAAtYaarm%2f53qR0DMF5OhZkU%3d"))) {
System.out.println("Signature OK!!!");
} else {
System.out.println("Bad Signature!!!");
}
I am always getting the message Bad Signature!!!
Any ideas?
Solución
I was not URL-decoding the Signature value!!!
http://www.w3schools.com/tags/ref_urlencode.asp
Also be aware of the URL encoded upper/lower case: .net UrlEncode - lowercase problem
Hope it helps,
Luis
