Signing XML response, which part of the saml response is signed in the SignatureValue XML Element?
1,664 views
Skip to first unread message
Juanlu Garcia
Aug 9, 2011, 6:31:33 PM8/9/11
to google-app...@googlegroups.com
Hi guys, I'm developing a Joomla component for SSO in Google Apps.
I'm about to finish the xml exchange, in fact , I've achive SSO, signing the saml response with a console command called xmlsec1.
However, I have to do it without this command, due to in most of web servers isn't avaliable.
For this purpose, I've used a php library called xmlseclibs, which implements partial functionality of the command.
The last step I can't to resolve is to sign correctly the saml response. All the XML Elements are right, except the SignatureValue Element and my question is:
which part of the saml response is signed in the SignatureValue XML Element?
Thank so much, and sorry for my poor English skill.
I'm about to finish the xml exchange, in fact , I've achive SSO, signing the saml response with a console command called xmlsec1.
However, I have to do it without this command, due to in most of web servers isn't avaliable.
For this purpose, I've used a php library called xmlseclibs, which implements partial functionality of the command.
The last step I can't to resolve is to sign correctly the saml response. All the XML Elements are right, except the SignatureValue Element and my question is:
which part of the saml response is signed in the SignatureValue XML Element?
Thank so much, and sorry for my poor English skill.
Ryan Panning
Aug 12, 2011, 10:16:24 AM8/12/11
to google-app...@googlegroups.com
In many examples I have seen just the SAML Assertion signed. However, a Googler told me to sign the Assertion AND Response but other comments that I've seen say that if you sign the Response then the Assertion is covered. So what I did was sign the Assertion then the Response (with the Assertion signature). Now take that with a grain of salt because my implementation isn't working yet. Google can't "parse" my Response.
~ Ryan
Robert Norris
Aug 12, 2011, 6:23:22 PM8/12/11
to google-app...@googlegroups.com
XML signatures are something of a dark art. The basic algorithm is:
- Canonicalize the complete SAML Response document.
- Compute the digest of the canonicalized document byte stream.
- Create the SignedInfo fragment with the digest in it.
- Canonicalize the SignedInfo fragment.
- Compute the signature of the SignedInfo fragment.
- Create the Signature fragment containing the SignedInfo, SignatureValue and KeyInfo fragments.
- Insert the Signature into the original (non-canonicalized) Response document.
I highly recommend that you do your implementation in two parts. First work on getting the Response document right, and use xmlsec to sign the document. Once Google accepts this, then work on getting your signatures correct. I found this extremely useful to learn about what the signature structures should look like and how to use xmlsec:
Good luck!
Cheers,
Rob.
On Sat, Aug 13, 2011 at 12:16 AM, Ryan Panning <pan...@traileyes.com> wrote:
In many examples I have seen just the SAML Assertion signed. However, a Googler told me to sign the Assertion AND Response but other comments that I've seen say that if you sign the Response then the Assertion is covered. So what I did was sign the Assertion then the Response (with the Assertion signature). Now take that with a grain of salt because my implementation isn't working yet. Google can't "parse" my Response.~ Ryan
--To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/b-sEi67ItnQJ.
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.
Juanlu Garcia
Aug 13, 2011, 9:00:44 AM8/13/11
to google-app...@googlegroups.com
Thank you guys bt your posts.
Robert, my script follow your algorith, but the SSO doesn't work
I'm going to attach a php test script and all the files needed to make the testing.
Could you look into the test script and say me what is wrong ? I was a good help
All is ready for making easier the testing.
The xml file contained in the testing.zip is a prototype of response that I should to send signed to google.
The test script creates the signed response in a xml.out file.
When the xml signed response is generated through xmlsec library, the xml is a not valid signed file ( tested by xmlsec1 --verify error=18:data do not match:signature do not match), in stead of when I generate the xml response through xmlsec1 command the output xml file is well-signed.
I realized that in the x509 signing, the xmlsec1 command don't append the certificate like xmlsec library and append it as RSA key. Otherwise when I verify the signature made by xmlsec library (in x509 signing mode) the xmlsec1 command shows multiple errors (like certificate is self-signed and others..)
At first, I chose RSA signing method for making easier the process.
Thank you again, and I hope you hear soon
Robert, my script follow your algorith, but the SSO doesn't work
I'm going to attach a php test script and all the files needed to make the testing.
Could you look into the test script and say me what is wrong ? I was a good help
All is ready for making easier the testing.
The xml file contained in the testing.zip is a prototype of response that I should to send signed to google.
The test script creates the signed response in a xml.out file.
When the xml signed response is generated through xmlsec library, the xml is a not valid signed file ( tested by xmlsec1 --verify error=18:data do not match:signature do not match), in stead of when I generate the xml response through xmlsec1 command the output xml file is well-signed.
I realized that in the x509 signing, the xmlsec1 command don't append the certificate like xmlsec library and append it as RSA key. Otherwise when I verify the signature made by xmlsec library (in x509 signing mode) the xmlsec1 command shows multiple errors (like certificate is self-signed and others..)
At first, I chose RSA signing method for making easier the process.
Thank you again, and I hope you hear soon
Juan Luis
Aug 21, 2011, 12:03:16 PM8/21/11
to google-app...@googlegroups.com
Robert could you help me please?
http://code.google.com/intl/es-ES/googleapps/domain/sso/saml_sso_support.html?place=topic%2Fgoogle-apps-saml-sso%2F-I0g3SDBgW0%2Fdiscussion
Is for a Joomla Component ( http://joomlacode.org/gf/project/joomgapps/frs/ ) who lets SSO between both systems.
This is my university degree project, and I have to submit it in September, ;-) Thanks in advance.
El 13/08/11 00:23, Robert Norris escribió:
http://code.google.com/intl/es-ES/googleapps/domain/sso/saml_sso_support.html?place=topic%2Fgoogle-apps-saml-sso%2F-I0g3SDBgW0%2Fdiscussion
Is for a Joomla Component ( http://joomlacode.org/gf/project/joomgapps/frs/ ) who lets SSO between both systems.
This is my university degree project, and I have to submit it in September, ;-) Thanks in advance.
El 13/08/11 00:23, Robert Norris escribió:
--
Reply all
Reply to author
Forward
0 new messages