opensaml assertion signature validation

1
votes

I have a SAML 2 response with one assertion which is signed and the response itself has signed again. I use below code to validate the signature profile of the response.

SAMLSignatureProfileValidator signatureProfileValidator = new SAMLSignatureProfileValidator();
signatureProfileValidator.validate(response.getSignature());

And below code block to validate signature.

SignatureValidator signatureValidator = new SignatureValidator(validatingCredential);
signatureValidator.validate(response.getSignature());

But I believe that these things validate the response signature and the response signature profile only. Do I need to validate the assertion signature as well? I have tried validating assertion signature using below code block. But it gives me the ValidationException which means it is not valid. But it should be.

SignatureValidator signatureValidator = new SignatureValidator(validatingCredential);
signatureValidator.validate(assertion.getSignature());
1
samlsaml-2.0opensaml
What does the Validationexception say? - Stefan Rasmusson
I use the same private key to sign the assertion and the response. If I validate only the response signature, is gets successfully validated. But If i try to validate the assertion signature with the same credential which was success with the response it gives the following exception. org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) anyway Thanks Stefan. - Akalanka
could you post the code where you do signing and verification on gist.github.com - Stefan Rasmusson
gist.github.com/akalanka/58c72c48763daa94ad6e I have put a lot of log messages there. Please ignore them. My last question. Do I really have to validate the assertion signature as well. Is it a common practice? I saw a lot of response signature validations. But no assertion signature validations. - Akalanka

1 Answers

0
votes

In order to be compliant, (and if I'm reading the spec correctly) you do need to validate both signatures. I believe the SAML 2.0 Profiles doc says that when processing the SAMLResponse, the SP must "validate any signatures present". See Sect 4.1.4.3 Message Processing Rules in the SAML 2.0 Profiles doc.