Subject: SAML verify signature matches the assertion
Date: 2020-08-11 00:08:06
From: jnorman
Source: saml-verify-signature-matches-assertion
----------------------------------------------------------------------
Hi there,
I've got a scenario where if an attacker was to modify the SAMLResponse returned for a successful authentication, I can't seem to verify that the signed assertions in the response match the original signature.
With the following example, the response is successful and validates against the original signing certificate. When calling response.GetSignedAssertions(certificate) both assertions are returned. I want to verify that the assertion is the one that was originally signed (where the assertion ID matches the signature reference).
Does ComponentPro.Saml do this?
http://localhost/sso/test
http://localhost/sso/test
KeAZoDrcdX9PSzmYj5dG8gluWaZfn80ZTgQ1pX0CDVY=
[redacted]
[redacted]
hacker@example.com
http://localhost/sso/test
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
http://localhost/sso/test
users@example.com
http://localhost/sso/test
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Thanks,
Jeremy
----------------------------------------------------------------------
Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.
Back to ComponentPro Q&A Forum Index