OpenSAML如何检查SAML响应(签名/证书)是否真的来自我的IDP?
[英]OpenSAML how to check if SAML Response (signature/cert) is really from my IDP?
问题描述
Hello I have this XML as a SAML2 Response from my IDP: 
您好,我有来自我的IDP的XML作为SAML2响应:
<Assertion ID="_97031c65-0139-4047-a416-9495df5d6ed7"
IssueInstant="2016-10-26T07:45:43.438Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_97031c65-0139-4047-a416-9495df5d6ed7">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
KMaF...
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
FHdZ....
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MII....
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
....
Now i want to check if the Response is a valid response from my IDP. 现在,我想检查该响应是否是我的IDP的有效响应。 How can this be done? 如何才能做到这一点? (I am using OpenSAML 3.x java) Is it enough just to do a string comparison on the signature and the cert? (我正在使用OpenSAML 3.x java)仅对签名和证书进行字符串比较就足够了吗?
I also have a MetadataDocument.XML with the credential info from my IDP (Azure). 我也有一个MetadataDocument.XML,其中包含来自我的IDP(Azure)的凭据信息。
Related: 有关:
SAML 2.0 - How to verify the sender certificate? SAML 2.0-如何验证发件人证书?
OpenSAML (2.0) Signature validation not working OpenSAML(2.0)签名验证不起作用
1 个解决方案
解决方案1
2 2016-11-03 11:35:41
First things first : 第一件事:
Don't roll your own SAML implementation . 不要发布自己的SAML实现 。 There are just too many things you can get wrong that it's not worth the risk. 您可能会出错的事情太多了,这不值得冒险。 I don't know if I can stress this enough. 我不知道我是否能对此施加足够的压力。 Use an open source, well known and tested implementation like Shibboleth SP or simplesamlphp 使用开源的,众所周知且经过测试的实现,例如Shibboleth SP或simplesamlphp
Warning above aside, and assuming you are doing this for your own understanding and not as part of a product/service that will be available to anyone but you: 除了上面的警告,并假设您这样做是出于您自己的理解,而不是作为除您之外任何人都可以使用的产品/服务的一部分:
The way to check that the response comes from your IDP is to check the the Digital Signature. 检查响应是否来自IDP的方法是检查数字签名。 For that, you must use the Public Key of the IDP (that is contained in the IDP certificate which you know from the IDPs metadata) in order to verify the Digital Signature. 为此,您必须使用IDP的公钥(包含在IDP证书中,您可以从IDP元数据中知道该公钥)以验证数字签名。 Please read about Digital Signatures , Digital Signature verification to understand what needs to be done and why. 请阅读有关数字签名 , 数字签名验证的信息,以了解需要执行的操作及其原因。 Then you can proceed on the how to do it by reading the Official Documetnation . 然后,您可以阅读“ 官方文档”,继续进行操作 。 Some notes: 一些注意事项:
- Don't trust the certificate that comes with the SAML Assertion. 不要相信 SAML声明随附的证书。 This is there just for the case you know multiple certs for a given Relying Party and you need to select the one that applies to the specific SAML conversation. 仅在您知道给定依赖方具有多个证书的情况下,您才需要选择适用于特定SAML对话的证书。
- You can't do String comparison on the Signature. 您不能在签名上进行字符串比较。 You cannot compute the same Signature as you don't have the Private Key that the IdP used to create it. 您无法计算相同的签名,因为您没有IdP用来创建它的私钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.