<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello,<div class=""><br class=""></div><div class="">I'm currently evaluating available library to handle SAML signature (IDP side, having to sign, others will verify).</div><div class=""><br class=""></div><div class="">So far I'm doing basic testing with xmlsec command line in the following way:</div><div class=""><br class=""></div><div class="">xmlsec1 --sign --output signed.xml --privkey-pem key.pem --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" response.xml</div><div class=""><br class=""></div><div class="">Which seems to works. And which is validated xmlsec using the following command:</div><div class=""><br class=""></div><div class="">xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" --pubkey-pem public.pem signed.xml</div><div class=""><br class=""></div><div class="">However, when I use online tools to confirm the whole SAML things, I get a signature error. Both <a href="http://samltool.com" class="">samltool.com</a> and <a href="http://samltest.id" class="">samltest.id</a> fail to valid the signature.</div><div class=""><br class=""></div><div class="">The signed SAML Response is available here <a href="https://pastebin.com/MgQtpHRJ" class="">https://pastebin.com/MgQtpHRJ</a></div><div class=""><br class=""></div><div class="">The public key used for signing is:</div><div class="">-----BEGIN PUBLIC KEY-----<br class="">MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MHc5AwDkhMjlfXjxDmc<br class="">C6F1swbYEhGvyTItZwKQ2dyFxx2D6xMM1zX7EEObrVwSvJzbqcqDTC/kcZ0lN5Un<br class="">+a38qSo0ZVo68OQx8j7elHByTuW19eItNbSkubGlgSKWbvFZqGmMJcJ/GAhwVIFR<br class="">JJ77HmaoJjCwJSEMea+Ul0LYOcT5TKXwdGa8iPAnTq1o7LjM5B2Rz0LXU+OcvphO<br class="">QjQbrbxOc8XGspfAiD4IOf7uRjD9gDirBRGY77Po4B0FOF+PX+AkREWtCX+iv/RV<br class="">zs1SSwmOMTVchyynfgRXnRjex37vAjOJR2DdTj8yrRZJcGKIq6wXoIPLJnDNuhVD<br class="">BwIDAQAB<br class="">-----END PUBLIC KEY-----<br class=""><br class=""></div><div class="">If you test with samltool, you will need</div><div class="">— IDP Entity ID: <a href="http://127.0.0.1:8080/saml/sso" class="">http://127.0.0.1:8080/saml/sso</a></div><div class="">— SP Entity ID: <a href="https://samltest.id/saml/sp" class="">https://samltest.id/saml/sp</a></div><div class="">— SP ACS: <a href="https://samltest.id/Shibboleth.sso/SAML2/POST" class="">https://samltest.id/Shibboleth.sso/SAML2/POST</a></div><div class="">— Target URL: <a href="https://samltest.id/Shibboleth.sso/SAML2/POST" class="">https://samltest.id/Shibboleth.sso/SAML2/POST</a></div><div class=""><br class=""></div><div class="">My question is about difference between "normal" XML Signature and signature in the context of SAML.</div><div class=""><br class=""></div><div class="">Does someone on this list can tell me if there is some specificities in the signature of SAML that I've missed? </div><div class=""><br class=""></div><div class="">Considering the sample content, if someone knowledgeable in SAML signed response has the time, is there an obvious mistake here?</div><div class=""><br class=""></div><div class="">Best regards,</div><div class="">Yoann Gini</div></body></html>