You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've picked up an issue when validating SAML responses when using SHA256 for the signing algorithm.
In the SamlIdp::Controller#encode_SAMLResponse method, the code to produce the identifier is string interpolated as <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"> but results in a signature failure when validating SAML response.
I'm using the libsaml gem for my SP, which in-turn uses the xmldsig gem for verifying the response XML.
While debugging I found the Xmldsig::Reference#digest_method method, which looks for http://www.w3.org/2000/09/xmldsig#sha1 and http://www.w3.org/2001/04/xmlenc#sha256 when resolving the Ruby class to use.
From what I can understand from the XML Encryption Syntax and Processing W3C specification, the identifiers for each digest algorithm change according to the algorithm used.
Also, I couldn't find any identifiers which had "rsa-" prefix to the "shaXXX" part. I.e. http://www.w3.org/2000/09/xmldsig#rsa-shaXXX. This is correct as per Algorithm Identifiers and Implementation Requirements.
I'm no expert on the subject, so maybe someone who knows can comment on this.
The text was updated successfully, but these errors were encountered:
I've picked up an issue when validating SAML responses when using
SHA256for the signing algorithm.In the SamlIdp::Controller#encode_SAMLResponse method, the code to produce the identifier is string interpolated as
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}">but results in a signature failure when validating SAML response.I'm using the
libsamlgem for my SP, which in-turn uses thexmldsiggem for verifying the response XML.While debugging I found the
Xmldsig::Reference#digest_methodmethod, which looks forhttp://www.w3.org/2000/09/xmldsig#sha1andhttp://www.w3.org/2001/04/xmlenc#sha256when resolving the Ruby class to use.From what I can understand from the XML Encryption Syntax and Processing W3C specification, the identifiers for each digest algorithm change according to the algorithm used.
E.g.
Also, I couldn't find any identifiers which had "rsa-" prefix to the "shaXXX" part. I.e.This is correct as per Algorithm Identifiers and Implementation Requirements.http://www.w3.org/2000/09/xmldsig#rsa-shaXXX.I'm no expert on the subject, so maybe someone who knows can comment on this.
The text was updated successfully, but these errors were encountered: