You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've picked up an issue when validating SAML responses when using SHA256 for the signing algorithm.
In the SamlIdp::Controller#encode_SAMLResponse method, the code to produce the identifier is string interpolated as <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"> but results in a signature failure when validating SAML response.
I'm using the libsaml gem for my SP, which in-turn uses the xmldsig gem for verifying the response XML.
While debugging I found the Xmldsig::Reference#digest_method method, which looks for http://www.w3.org/2000/09/xmldsig#sha1 and http://www.w3.org/2001/04/xmlenc#sha256 when resolving the Ruby class to use.
From what I can understand from the XML Encryption Syntax and Processing W3C specification, the identifiers for each digest algorithm change according to the algorithm used.
Also, I couldn't find any identifiers which had "rsa-" prefix to the "shaXXX" part. I.e. http://www.w3.org/2000/09/xmldsig#rsa-shaXXX. This is correct as per Algorithm Identifiers and Implementation Requirements.
I'm no expert on the subject, so maybe someone who knows can comment on this.
The text was updated successfully, but these errors were encountered:
I've picked up an issue when validating SAML responses when using
SHA256
for the signing algorithm.In the SamlIdp::Controller#encode_SAMLResponse method, the code to produce the identifier is string interpolated as
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}">
but results in a signature failure when validating SAML response.I'm using the
libsaml
gem for my SP, which in-turn uses thexmldsig
gem for verifying the response XML.While debugging I found the
Xmldsig::Reference#digest_method
method, which looks forhttp://www.w3.org/2000/09/xmldsig#sha1
andhttp://www.w3.org/2001/04/xmlenc#sha256
when resolving the Ruby class to use.From what I can understand from the XML Encryption Syntax and Processing W3C specification, the identifiers for each digest algorithm change according to the algorithm used.
E.g.
Also, I couldn't find any identifiers which had "rsa-" prefix to the "shaXXX" part. I.e.This is correct as per Algorithm Identifiers and Implementation Requirements.http://www.w3.org/2000/09/xmldsig#rsa-shaXXX
.I'm no expert on the subject, so maybe someone who knows can comment on this.
The text was updated successfully, but these errors were encountered: