How to created signed AuthNRequest?

Question 1

How to created signed AuthNRequest?

x509certificate saml saml-2.0 signing

gbhakta · Mar 6, 2013 · Viewed 28k times · Source

Answer

Answer

Just to note that a lot of this is covered in the documentation:

SAML metadata.

To have the request signed you need to add something like this (normally found in the sp.xml):

<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

The signing key would look something like:

<KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>      MIIDWTC...CAkGgAwIBAgIEe+a+/uaSZCp5g2z+hRWRV+DyfQc9nO
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>

where the MII... is the public key.

As per @Stefan, it's much easier to use a library.

Question 2

I am interfacing with an IDP and have a basic AuthNRequest created as follows:

<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="IDTest1" 
  Version="2.0"
  IssueInstant="2013-03-04T09:21:59"
  AssertionConsumerServiceIndex="0"
  AttributeConsumingServiceIndex="0">
  <saml:Issuer>https://myapp.com/saml2/sp</saml:Issuer> 
 <samlp:NameIDPolicy
   AllowCreate="true"
   Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>

IDP wants me send the request as signed. My questions are:

How do I set digest value?
How do I set Signature value?
For x509 certificate, I set the public key of my app. Correct?
What is the data that is used to compute any of the values? Is it my original auth request without Signature element?

How to created signed AuthNRequest?

Answer

Related questions