This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to validate a SAML assertion with no KeyInfo

Posted on 11-23-2018 05:45 AM
inankanbur
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

We receive a SAML assertion from an identity provider, which do no contain <ds:KeyInfo> element. As far as I can see that should be ok as the SAML2 spec does not require the use of <ds:KeyInfo> (Section 5.4.5). Nevertheless, the Validate SAML Policy fails verifying the signature in such assertions.

When I look in the message processor logs, I see that it complains about missing KeyInfo object:

-- --

SAML-Validate NIOThread@1 ERROR ValidateSAMLAssertion - ValidateSAMLAssertionExecution.verify() : Error validating signature javax.xml.crypto.dsig.XMLSignatureException: cannot find validation key

...

Caused by: javax.xml.crypto.KeySelectorException: Null KeyInfo object!

...

-- --

Is there a way to configure the policy in a way that it uses the certificate in the provided trust store to verify the signature? The trust store contains only one self-signed certificate, so we'll know that it's that specific provider who has signed the assertion.

I've tested with another provider, so I know self-signed certificate works ok with Validate SAML Policy (as long as <ds:KeyInfo> is present in the assertion). I can also verify the signature of the assertion not containing <ds:KeyInfo> using openssl; thus, I know the certificate is ok.

This is Edge Private Cloud Version 4.17.09.00.

Thanks!

-inan.

1 3 2,151
Topic Labels
3 REPLIES 3
Top Solution Authors
View all