Read IDP Metadata into SP then verify Idp initiated assertion

Subject: Read IDP Metadata into SP then verify Idp initiated assertion Date: 2016-10-06 17:05:50 From: Steven Lieberman Source: read-idp-metadata-sp-verify-idp-initiated-assertion ----------------------------------------------------------------------

Hello,

I have setup your system pretty quickly allowing me to verify an IDP initiated assertion by comparing it to a certificate.

Most of my clients though will want to give me their idp signing in a meta data file, per the attached sample.

How can I read in the signing <X509Certificate> certificate value and then validate that it is signed?

Thanks for your help.

<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ec2-54-69-83-188.us-west-2.compute.amazonaws.com/simplesaml/saml2/idp/metadata.php">

<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:X509Data>

<ds:X509Certificate>MIIEKzCCAxOgAwIBAgIJAJ2JJlU+OLyRMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYDVQQGEwJVUzENMAsGA1UECAwET2hpbzEPMA0GA1UEBwwGQXRoZW5zMRgwFgYDVQQKDA9JRE0gSW50ZWdyYXRpb24xOTA3BgNVBAMMMGVjMi01NC02OS04My0xODgudXMtd2VzdC0yLmNvbXB1dGUuYW1hem9uYXdzLmNvbTEnMCUGCSqGSIb3DQEJARYYZGF2aWRAaWRtaW50ZWdyYXRpb24uY29tMB4XDTE1MDcyMzAwNTI1N1oXDTI1MDcyMjAwNTI1N1owgasxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARPaGlvMQ8wDQYDVQQHDAZBdGhlbnMxGDAWBgNVBAoMD0lETSBJbnRlZ3JhdGlvbjE5MDcGA1UEAwwwZWMyLTU0LTY5LTgzLTE4OC51cy13ZXN0LTIuY29tcHV0ZS5hbWF6b25hd3MuY29tMScwJQYJKoZIhvcNAQkBFhhkYXZpZEBpZG1pbnRlZ3JhdGlvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLMEcRKoIjfeXM7Ovd4VbF2vuet0EfIAn/Ovqpdw0DBD+3HH/L2ZWX7JnWf/JySkuIn7fyCJNUhLrYXlVxif6zPBBDQqW2nFCLvINxWauWP8hA6mHWijV7eNg4trvrpkOyEZioVcjRzBan2WP+yd3wQYTbOR3LATi97gTWq//EldH5spLLq2eTHAoxHYGDPVJegIt19aE9l4dnGuBcTER4pcHkb3sF3u40lNNPcJRcwfrvw32qX9nKNXdutOR+UyA9e65RJmOuWKQ3yS6KmWB9kkJdY2bFIG9CqRODl4hdPsOl+uqzx/GNxDy6o3B6UGvAw+RtRkZGZzPWx3rR2jHzAgMBAAGjUDBOMB0GA1UdDgQWBBTmd4lNnf7tkkfTvUH7HqqFgIAFpDAfBgNVHSMEGDAWgBTmd4lNnf7tkkfTvUH7HqqFgIAFpDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBYSymVUEeDhQKFJxnHHitReAnN7aoSTav5M8CQI+EgQQ5PwIr0UyD1NZlNVkz1q77r5gA+NkDKcsPQ/WbNTi1qW1gBSejDRouXkP5Zy+Hnj8b1QEXvyRZtMiFF++CW9LVtEN60bAcpaoTr4J7KJLNPUOho/c1ja5rbyuTm8Vrga1jwXmL/EE6zE+9hpnwoZZdCViFdqaSkW4MZl0iSwwWkBuQB9b3gataaRRCN1bLKelJvC6iQMU22Ilsp4snGzAceYr02eoCh/sS8yeiZoJNkq/auBuTWCSu1ilCDvIMAx+pIMvl9I3k9aPvVGF6oebvCS25Wl5vPkvvOIYibHdCW</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</md:KeyDescriptor>

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ec2-54-69-83-188.us-west-2.compute.amazonaws.com/simplesaml/saml2/idp/SingleLogoutService.php"/>

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ec2-54-69-83-188.us-west-2.compute.amazonaws.com/simplesaml/saml2/idp/SSOService.php"/>

</md:IDPSSODescriptor>

</md:EntityDescriptor>

---------------------------------------------------------------------- Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor who sold you the license and ask for your money back. Back to ComponentPro Q&A Forum Index