I'm in the process of making changes to my site so that we can be a SAML 2.0 Service Provider.
We will be doing Id P initiated SAML with Out-of-Band account federation.
This guide will show you how to verify a SAML response using the client kit for Java.
The example code in this section demonstrates verification of a SAML response in a Spark web application, and the Java client kit contains similar code using regular JSP.
The AVANTSSAR team suggested the following data elements should be required: Further vulnerabilities in SAML implementations were described in 2012 (On Breaking SAML: Be Whoever You Want to Be).
So if your customer wants to include signatures in XML they send you, then they need to provide you with their public key.
Every Assertion they send has a signature value which needs to be validated to give them necessary privileges. Digital signatures, on the other hand, use asymmetric keys (private/public key pair), where the signature is computed using the private key, and can be validated using the public key.
I assume I should rely on the IDP's certificate supplied in metadata and not the one in the response itself (although they should be the same).
Is there some way to do this with openssl or xmlsec1 commands?