DSA signature check in SAML 2.0 with PHP

Question

I've checked SO and googled around, but haven't found answers so far. I am using SAML 2.0 as a service provider, and embedded php-saml - used simplesamlphp first, but found a bit tough to embed.

The IdP-s response comes back with a signature

<signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1">

and looks like xmlseclibs is not supporting dsa signatures.

Question A: any suggestions what to use to verify the dsa signature?

Question B: just curious what libs other people are using for SAML. I've just spent about 20 mins on simplesamlphp and found that it is totally dependant on it's own URL structures and being a proper webserver endpoint instead of just a library.

Cheers

Answer 1

PingFederate (from Ping Identity) gives you DSA as an option (As IDP and SP). Although XML Signature mandates the DSAwithSHA1 signature algorithm, it is not required by SAML V2.0, but is RECOMMENDED.

While PF is not a code library (it's a complete on-premise SSO solution) it supports all the various identity protocols needed for cloud computing (SAML 1.0/1.1/2.0/WS-Federation) and can pretty easily hook into a PHP application via RESTful Web Services or PHP Libraries.

Answer 2

Part of the historical reason for lacking DSA support in PHP libraries may be related to this:

• https://bugs.php.net/bug.php?id=41033