?
Solved

SAML and web service token validation

Posted on 2014-08-27
1
Medium Priority
?
640 Views
Last Modified: 2016-02-26
While I am starting to understand, one more thing I do not quite get

The normative case is for the client to send a token request to the SAML authority, and get a SAML token in return.  The Client then sends the message lus the token to the web service in question (probably SOAP).  

My question is, how does the web service validate that the token is validate?  Does he hit the SAML authority?  How does that work?

Thanks
0
Comment
Question by:Anthony Lucia
1 Comment
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40289699
it comes back signed using the public key of the the identity organization and you check that the signature is valid (chain of trust, not expired)

Sample response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2012-07-20T06:5:17.364Z" Destination="https://login.salesforce.com">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">dev.com
</saml:Issuer>

<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="1234" IssueInstant="2012-07-20T06:5:17.364Z" Version="2.0">

<saml:Issuer>dev.com</saml:Issuer>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#1234">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Xz8bJqroWKcnrUzBypQy87Z3fNU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
RjZ6JDl3HpFw+Jy8t19tKG9E0ED0cN7Xr7Ax56sPjSQaEFT9nSsM7NonzK6C/DHzJe63Jnv4+rXg
ZFjcTrfzlXSwGkcUREyTgLM4vOjBEz459bBcWVEMuMPUUXDOpCrdP3lSSuhrBzzEb3SXOlma8+lg
qf7WUrxv1z6VswxQEgzIwsObZNWshQ5LWuysw5txdN/8vmOgvlG+9X2PTP+K+dBEolPiRvscnj/K
vDWHueO7NU2AmVEKR0Lv3F7CJC/cY21xRAoyIILoAcUj+8sXkUI4jwib/Ik2T9+jYKN6+ZmTFo9k
cdcSXKlXNEt1jROC+YeZXaalkxY7yo8Dey/GvA==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIC2zCCAcOgAwIBAgIEWXZOdjANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNkZXYuY29taXR5
d29ya3MuY29tMB4XDTEyMDcyMzA3MTUwNVoXDTEyMTAyMTA3MTUwNVowHjEcMBoGA1UEAxMTZGV2
LmNvbWl0eXdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKccqicXXmPX
DuqQWGWRgoUz+aqMGGhKyJVQ9XOn4a+AigweNI3GncY40yaO6GtqUjzxp7XeGCqhEG+KDP41NalK
e2QrOxGuSa6WVgomZ5txukw8B9sSJKFkJOFe+wwDW+X4rLeELMG8suAivfsr359aU9QOL4XP7GlL
G+h5/92BR3LTfe9nKjlyAgHH3KfgrXWydgK31jOeZnsBFmPKI8Qyyzyji/qeyfkC3/N+9a49L4Me
Oc960JyZdiv8lmQp+5H7ysPkqAwDGtPF6swai9i1PHe17KtsMLTQVlXQtG4L55keQ5WXGvmbjkJO
jkBY485IC9st39ZHWmPsqs51FmkCAwEAAaMhMB8wHQYDVR0OBBYEFAb7nCXQ8qZg7xEAWyH1VI/C
aRYTMA0GCSqGSIb3DQEBBQUAA4IBAQB0XDtB86sHDdm8W+BmTQvmZMF/CmI2g+URKdPPIyjy0YKc
oZ4o7F9lup+ns7cq/NkuBNCBprbKth6XN/mNDsHCxqDfykCryKQjTWFcj1KBY1of0+I225uO8mff
jKDpoENIHenvXXj82W3IKdl+tggJZar9A7SzOdtwUi4uBhA1v9gFl1Xo4+w8tIrlyV7s5/K+yLSr
S1I1USDw8lxIfWpcAza5Oshh0yN/uDURVTzr5P38E0UUbkT74J4brL6EM+TpGpZ6FGsC4YVgIcUo
NywNAeL2Dp/608Npus8HSyFefVE08xDY2q5jMFDIQSrvTp/ga7HctnikRcbU05QVxcty
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >sachin@cloudsquads.com
</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2013-07-20T05:23:17.364Z" Recipient="https://login.salesforce.com"/> </saml:SubjectConfirmation>
</saml:Subject>

<saml:Conditions NotBefore="2012-07-20T05:23:17.364Z" NotOnOrAfter="2013-07-20T05:23:17.364Z">

<saml:AudienceRestriction>

<saml:Audience>https://saml.salesforce.com</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2012-07-20T06:5:17.364Z" SessionIndex="1234"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question