SAML verify signature matches the assertion

0
Hi there, I've got a scenario where if an attacker was to modify the SAMLResponse returned for a successful authentication, I can't seem to verify that the signed assertions in the response match the original signature. With the following example, the response is successful and validates against the original signing certificate. When calling response.GetSignedAssertions(certificate) both assertions are returned. I want to verify that the assertion is the one that was originally signed (where the assertion ID matches the signature reference). Does ComponentPro.Saml do this? http://localhost/sso/test http://localhost/sso/test KeAZoDrcdX9PSzmYj5dG8gluWaZfn80ZTgQ1pX0CDVY= [redacted] [redacted] hacker@example.com http://localhost/sso/test urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport http://localhost/sso/test users@example.com http://localhost/sso/test urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Thanks, Jeremy
 
asked 8/11/2020 12:08:06 AM
add a comment

0 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged saml or ask your own question.