From what I have found OneLogin test connectors by default do not require a signed Authnrequest. The Authnrequest made with HTTP-Redirect works fine without a signature. I am able to authenticate my user through OneLogin, and process the SAML response.
At this point I am trying to test code that signs the AuthNRequest. Based on the specifications https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf the HTTP-Redirect method supports a signed AuthNRequest. The url parameters would be "SAMLRequest=request&SigAlg=algorithm&Signature=signature". I don't have a need for RelayState so it has been left out of the example. The spec says the signature for the HTTP-Redirect method would be created using the query string parameters "SAMLRequest=request&SigAlg=algorithm", signed using the algorithm specified in the query string. So the request itself is not signed. I am signing using a self-signed certificate. I have passed all the query string values to the OneLogin connector, and each time the AuthNRequest is processed by OneLogin successfully. However, I have modified the signature value to not be valid, and even left it blank to hopefully have it fail and the AuthNRequest is processed by OneLogin.
FYI - I tried using https://www.samltool.com/sign_authn.php to create the signed AuthNRequest to make sure I was doing it correctly, but it only appears to provide the HTTP-Post, and not the HTTP-Redirect AuthNRequest.
I have the following questions:
- Does OneLogin support a signed AuthNRequest through HTTP-Redirect?
- Is there a way to setup a test connector to require a signed AuthNRequest?
- How would I inform OneLogin about the public key from my certificate that was used to sign the AuthNRequest?
