SAML 2.0 Response and the KeyInfo element

1
votes

All, I have a quick question on the SAML 2.0 response that I've been working with as part of my web SSO.We are the Identity provider and we send SAML token to our Service Provider(SP). SP wants us to sign the entire before sending that.We sent SP our public certificate already. Whose certificate details go under the element in the generated SAML 2.0 response ? Is that the IDP's or the Service Providers(SP).We don't have a public certificate from our SP yet

<samlp2:Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_71b134e9-1ab3-4680-90a4-3b95c8530a59" Version="2.0" IssueInstant="2017-09-21T17:29:21.6178748Z" Destination="https://sp.com" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="#_79b534eb-9771-4d22-9d61-d4dc5997be70">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>RzEq/7vrq</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>jQCx6BZyoW+okh+zxwrd</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509IssuerSerial>
          <X509IssuerName>CN=CA, DC=us, DC=local</X509IssuerName>
          <X509SerialNumber>1248841732558767</X509SerialNumber>
        </X509IssuerSerial>
        <X509Certificate>MIIEpTCCA42gAwIBAgITOAAAARWJYtXzIdPzr</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
  <samlp2:Status>
    <samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp2:Status>
  <saml2:Assertion Version="2.0" ID="_79b534eb-9771-4d22-9d61-d4dc5997be70" IssueInstant="2017-09-21T17:29:21.6208748Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer>https://mycompany.com/</saml2:Issuer>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">TestUser</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2017-09-21T17:29:21.6218748Z" NotOnOrAfter="2017-09-21T17:33:21.6218748Z" />
    <saml2:AuthnStatement AuthnInstant="2017-09-21T17:29:21.6228748Z" SessionNotOnOrAfter="2017-09-21T17:34:21.6228748Z">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml20:AttributeStatement xmlns:saml20="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml20:Attribute Name="MyCompany" NameFormat="www.sp.com">
        <saml20:AttributeValue>test value</saml20:AttributeValue>
      </saml20:Attribute>
    </saml20:AttributeStatement>
  </saml2:Assertion>
</samlp2:Response>
1
websingle-sign-onsaml-2.0

1 Answers

1
votes

The certificate in the Response should be the one of the IDP. This way the SP can be sure the IDP signed the response and it wasn't manipulated by the user agent (or anyone else).