SAML and web service token validation

While I am starting to understand, one more thing I do not quite get

The normative case is for the client to send a token request to the SAML authority, and get a SAML token in return.  The Client then sends the message lus the token to the web service in question (probably SOAP).  

My question is, how does the web service validate that the token is validate?  Does he hit the SAML authority?  How does that work?

Thanks
Anthony LuciaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
it comes back signed using the public key of the the identity organization and you check that the signature is valid (chain of trust, not expired)

Sample response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2012-07-20T06:5:17.364Z" Destination="https://login.salesforce.com">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">dev.com
</saml:Issuer>

<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="1234" IssueInstant="2012-07-20T06:5:17.364Z" Version="2.0">

<saml:Issuer>dev.com</saml:Issuer>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#1234">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Xz8bJqroWKcnrUzBypQy87Z3fNU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
RjZ6JDl3HpFw+Jy8t19tKG9E0ED0cN7Xr7Ax56sPjSQaEFT9nSsM7NonzK6C/DHzJe63Jnv4+rXg
ZFjcTrfzlXSwGkcUREyTgLM4vOjBEz459bBcWVEMuMPUUXDOpCrdP3lSSuhrBzzEb3SXOlma8+lg
qf7WUrxv1z6VswxQEgzIwsObZNWshQ5LWuysw5txdN/8vmOgvlG+9X2PTP+K+dBEolPiRvscnj/K
vDWHueO7NU2AmVEKR0Lv3F7CJC/cY21xRAoyIILoAcUj+8sXkUI4jwib/Ik2T9+jYKN6+ZmTFo9k
cdcSXKlXNEt1jROC+YeZXaalkxY7yo8Dey/GvA==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIC2zCCAcOgAwIBAgIEWXZOdjANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNkZXYuY29taXR5
d29ya3MuY29tMB4XDTEyMDcyMzA3MTUwNVoXDTEyMTAyMTA3MTUwNVowHjEcMBoGA1UEAxMTZGV2
LmNvbWl0eXdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKccqicXXmPX
DuqQWGWRgoUz+aqMGGhKyJVQ9XOn4a+AigweNI3GncY40yaO6GtqUjzxp7XeGCqhEG+KDP41NalK
e2QrOxGuSa6WVgomZ5txukw8B9sSJKFkJOFe+wwDW+X4rLeELMG8suAivfsr359aU9QOL4XP7GlL
G+h5/92BR3LTfe9nKjlyAgHH3KfgrXWydgK31jOeZnsBFmPKI8Qyyzyji/qeyfkC3/N+9a49L4Me
Oc960JyZdiv8lmQp+5H7ysPkqAwDGtPF6swai9i1PHe17KtsMLTQVlXQtG4L55keQ5WXGvmbjkJO
jkBY485IC9st39ZHWmPsqs51FmkCAwEAAaMhMB8wHQYDVR0OBBYEFAb7nCXQ8qZg7xEAWyH1VI/C
aRYTMA0GCSqGSIb3DQEBBQUAA4IBAQB0XDtB86sHDdm8W+BmTQvmZMF/CmI2g+URKdPPIyjy0YKc
oZ4o7F9lup+ns7cq/NkuBNCBprbKth6XN/mNDsHCxqDfykCryKQjTWFcj1KBY1of0+I225uO8mff
jKDpoENIHenvXXj82W3IKdl+tggJZar9A7SzOdtwUi4uBhA1v9gFl1Xo4+w8tIrlyV7s5/K+yLSr
S1I1USDw8lxIfWpcAza5Oshh0yN/uDURVTzr5P38E0UUbkT74J4brL6EM+TpGpZ6FGsC4YVgIcUo
NywNAeL2Dp/608Npus8HSyFefVE08xDY2q5jMFDIQSrvTp/ga7HctnikRcbU05QVxcty
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >sachin@cloudsquads.com
</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2013-07-20T05:23:17.364Z" Recipient="https://login.salesforce.com"/> </saml:SubjectConfirmation>
</saml:Subject>

<saml:Conditions NotBefore="2012-07-20T05:23:17.364Z" NotOnOrAfter="2013-07-20T05:23:17.364Z">

<saml:AudienceRestriction>

<saml:Audience>https://saml.salesforce.com</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2012-07-20T06:5:17.364Z" SessionIndex="1234"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.