Subject: SAML verify signature matches the assertion
Date: 2020-08-11 00:08:06
From: jnorman
Source: saml-verify-signature-matches-assertion
----------------------------------------------------------------------

Hi there,

I've got a scenario where if an attacker was to modify the SAMLResponse returned for a successful authentication, I can't seem to verify that the signed assertions in the response match the original signature.

With the following example, the response is successful and validates against the original signing certificate. When calling response.GetSignedAssertions(certificate) both assertions are returned. I want to verify that the assertion is the one that was originally signed (where the assertion ID matches the signature reference). 

Does ComponentPro.Saml do this?

    
    
       http://localhost/sso/test
       
          
       
       
          http://localhost/sso/test
          
             
                
                
                
                   
                      
                      
                   
                   
                   KeAZoDrcdX9PSzmYj5dG8gluWaZfn80ZTgQ1pX0CDVY=
                
             
             [redacted]
             
                
                   [redacted]
                
             
          
          
             hacker@example.com
             
                
             
          
          
             
                http://localhost/sso/test
             
          
          
             
                urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
             
          
       
       
          http://localhost/sso/test
          
             users@example.com
             
                
             
          
          
             
                http://localhost/sso/test
             
          
          
             
                urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
             
          
       
    

Thanks,
Jeremy

----------------------------------------------------------------------

Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.

Back to ComponentPro Q&A Forum Index