What should be the signature value in the URL for HTTP-Redirect Binding SAML Request

1
votes

This query is in addition to the question asked in post - HTTP-Redirect Binding SAML Request.

I am trying to implement the dotnet SSO solution by sending the SAML Authentication Request via HTTP-Redirect Binding. After generating the SAML AuthnRequest and computing the signature using the private certificate of SP I have tried two ways to add the signature in the url.

  • Generate SAML AuthnRequest XML.

    <?xml version="1.0" encoding="utf-8"?>
<AuthnRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"         
              ID="_d726aced-4c62-4562-8237-062f7faf0750" 
              Version="2.0" IssueInstant="2015-04-03T19:59:58.6709058Z"         
              Destination="https://idp.client.com/adfs/ls/" 
              ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
              AssertionConsumerServiceURL="https://serviceprovider.clientportal.com/samlsso.aspx" 
              xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
>
        <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://serviceprovider.clientportal.com</Issuer>
        <NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</AuthnRequest>

  • Compute Signature using the SAML AuthnRequest XML which generates an XML Signature tag as shown below

    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <Reference URI="#_d726aced-4c62-4562-8237-062f7faf0750">
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>rxoGtdmI...rgY=</DigestValue>
        </Reference>
    </SignedInfo>
<SignatureValue>XRLdJHIGWClJxp....fTPUfIghl5kTfV4=</SignatureValue>

  • Method-1 to add signature in the query string

  • Encode the AuthnRequest XML (without signature embedded) using Base64 encoding and URL encoding

  • Encode the above xml signature string using Base64 encoding and URL encoding

  • Construct the URL in the following way 

    https://IDP.com/adfs/ls/?SAMLRequest=UrlEncodedBase64AuthnRequest&RelayState=value&SigAlg=value&Signature=UrlEncodedBase64EncodedXMLSignature

  • Method-2 to add signature in the query string

  • Encode the AuthnRequest XML (without signature embedded) using Base64 encoding and URL encoding

  • Extract the value of tag from the above xml signature string to be sent as URL encoded value of "Signature" query string parameter.

  • Construct the URL in the following way

    https://IDP.com/adfs/ls/?SAMLRequest=UrlEncodedBase64AuthnRequest&RelayState=value&SigAlg=value&Signature=UrlEncodedValueExtractedFromSignatureValueTag

In both the cases I am getting signature validation failure at the IDP. Any idea on how to generate the signature to be sent in the URL?

Any help on this would be of great help!

Thanks,
Piush

2
samlhttp-redirect
I am also facing similar issue. Can you please share the solution. - Parveen Kumar

2 Answers

3
votes

See "Section 3.4.4.1 DEFLATE Encoding" in the SAML 2.0 Bindings document for specific instructions on how you are supposed to include the DSig when using the REDIRECT Binding.

-2
votes

The signature used in the HTTP-Redirect binding is not an XML signature. I suggest taking another look at the SAML v2.0 Bindings Specification, section 3.4.

Alternatively, take a look at our ComponentSpace SAML v2.0 component. This is a commercial product for .NET/ASP.NET which fully supports the SAML specification.