OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: SV: [saml-dev] AuthnRequest - what exactly is signed


Is this the way to do it using the HTTP Redirect Binding:

AuthnRequest (XML document) is first DEFLATE compressed.
It is then base64 encoded and that result is subsequently URL-encoded.
Let's call that output value1.

RelayState value is just URL-encoded.
Let's call that output value2.

SigAlg value is just URL-encoded.
Let's call that output value3.

You then construct this string:
SAMLRequest=value1&RelayState=value2&SigAlg=value3
That is the string that is actually signed.

The signature is then base64 encoded and subsequently URL-encoded and
included in a query string parameter named Signature.

Is that the way to do it?

Thanks,
Kim



-----Oprindelig meddelelse-----
Fra: Scott Cantor [mailto:cantor.2@osu.edu] 
Sendt: 3. marts 2008 16:36
Til: Hellan.Kim KHE; 'SAML Developers'
Emne: RE: [saml-dev] AuthnRequest - what exactly is signed

> I'm using the HTTP Redirect Binding.

Then your general idea about what to sign is right but your message was
encoded incorrectly, as I said.

-- Scott

Hi,

I'm using the HTTP Redirect Binding.
The part about the concatenation of the 3 strings is from the
description about the DEFLATE encoding in the bindings document.

Thanks,
Kim



-----Oprindelig meddelelse-----
Fra: Scott Cantor [mailto:cantor.2@osu.edu] 
Sendt: 29. februar 2008 16:40
Til: Hellan.Kim KHE; 'SAML Developers'
Emne: RE: [saml-dev] AuthnRequest - what exactly is signed

> I'm new to SAML and have to make a simple client. I'm starting with
the
> AuthnRequest and have the following data that I need to send to the
IdP:

With what binding?

> If I read the standard correctly, each of these 3 parameters needs to
be
> URL-encoded and then concatenated into a string, so it should look
> something like this:

There's no binding that would match, so no, that's wrong.

> Is it correct, that it is the entire string as shown above that is
> signed, and then the signature is posted in the Signature parameter?

Signing is binding dependent. For a redirect, yes, you sign all of those
parameters, but you don't have the message encoded correctly.

-- Scott


____________________________________________________________________
www.kmd.dk   www.kundenet.kmd.dk   www.e-Boks.dk    www.organisator.dk

Hvis du har modtaget denne mail ved en fejl vil jeg gerne, at du informerer mig og sletter den.
KMD skaber it-services, der fremmer effektivitet hos det offentlige, erhvervslivet og borgerne.

If you received this e-mail by mistake, please notify me and delete it. Thank you.
Our mission is to enhance the efficiency of the public sector and improve its service to the general public. 

KMD A/S l Lautrupparken 40-42 l DK-2750 Ballerup l CVR-nr. 26911745 

KMD er medlem af IT-Branchen, Dansk Erhverv, samt anmeldt til Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med Dansk Standard som certificerende organ, Microsoft Gold Certified Partner, Certificeret SAP Hosting Center.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]