WSO2 IS 4.6.0: Composition of Signed SAML Authentication Request

Question

Does anybody know the correct steps order of creating Signed SAML Authnentication Request?

I've tried with the below steps, but unfortunately the WSO2IS throws an exception

1. Generate the SAMLRequest value
2. Encode the SAMLRequest value in Base64
3. URL-encode the SAMLRequest value
4. URL-encode the SigAlg value: http://www.w3.org/2000/09/xmldsig#rsa-sha1
5. Feed the algorithm signature ( SHA1withRSA ) with the

SAMLRequest=value&SigAlg=value

6. URL-encode the generated signature

Thanks in advance

EXCEPTION MESSAGE:

ERROR {org.opensaml.xml.security.SigningUtil} - Error during signature verification java.security.SignatureException: Signature length not correct: got 252 but was expecting 256 at sun.security.rsa.RSASignature.engineVerify(Unknown Source) at java.security.Signature$Delegate.engineVerify(Unknown Source) at java.security.Signature.verify(Unknown Source) at org.opensaml.xml.security.SigningUtil.verify(SigningUtil.java:247) at org.opensaml.xml.security.SigningUtil.verify(SigningUtil.java:215) at org.opensaml.xml.security.SigningUtil.verifyWithURI(SigningUtil.java:184) at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:156) at org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator.validateSignature(SAML2HTTPRedirectDeflateSignatureValidator.java:78) at org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.validateDeflateSignature(SAMLSSOUtil.java:625) at org.wso2.carbon.identity.sso.saml.util.SAMLSS OUtil.validateAuthnRequestSignature(SAMLSSOUtil.java:578) at org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor.process(SPInitSSOAuthnRequestProcessor.java:108) at org.wso2.carbon.identity.sso.saml.SAMLSSOService.authenticate(SAMLSSOService.java:192) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequestFromLoginPage(SAMLSSOProviderServlet.java:415) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:127) at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doPost(SAMLSSOProviderServlet.java:81) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)

Answer 1

Following is the method what is in the spec for HTTP Redirected binding that is supported by WSO2IS. Therefore what you have done is not correct. I guess you have missed the compression part.

1. Build the SAML request using openSAML
2. SAML request is compressed using DEFLATE compression
3. Base64-encoded is done for compressed data
4. URL-encoded is done for Base64-encoded data.
5. If RelayState is there, It must be URL-encoded

If SAML Request is signed with an XML signature. Then we need to sign the URL-encoded form of the message also as follows.

6.Signature algorithm identifier must be included as URL-encoded

7.Signature is constructed with for following string (here order is important)

SAMLRequest=value&RelayState=value&SigAlg=value

8.Signature value MUST be encoded using the base64 encoding with any whitespace removed, and included as a query string parameter named Signature

If you go through this sample SP implementation, you can see how it has been done. There is a class called SAML2SSOManager and method buildRequest . You can go through it.