locked
Signature of SAML Request RRS feed

  • Question

  • I'm looking at the scenario with a relying party that signs the SAML requests that are reaching the ADFS server. The relying party's properties on the ADFS server contain a public certificate - that most likely will validate the signature on the authentication request generated on the relying party itself. What I'm unsure of is the mechanism being used to pass the signature from the relying party to the ADFS server. Is an URL parameter used in the link passed back to the client by the relying party, or is some hidden form field employed ? Probably this would depend on each relying party and how the signature is implemented, but is there a narrow list when using SAML as a sign-in protocol ?
    Monday, October 24, 2016 11:57 AM

Answers

  • Most the SAML requests are GZip compressed, so it is hard to what they have in it. Depending on the profile you are using, you might just see it GZipped in the UR.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, October 24, 2016 9:44 PM
  • The GZip format is used when the parameter is a query string in the URL. URL have a size limit, so the GZip is to workaround this limitation. If the SAML request is in the content of the page, then no need for GZip :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 26, 2016 2:00 PM

All replies

  • Most the SAML requests are GZip compressed, so it is hard to what they have in it. Depending on the profile you are using, you might just see it GZipped in the UR.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, October 24, 2016 9:44 PM
  • Thanks, Pierre. I've actually did a capture with Fiddler for our scenario (the relying party is a cloud proxy solution called Zscaler) and inside the frame containing the initial response from the RP there's a "SAMLRequest" hidden input. Decoding from base64 yields a nicely formatted XML, containing 2 elements of interest - one is <dsig:SignatureValue> which most likely contains the signature of the SAML Request, and a <dsig:X509Certificate> which contains the same certificate we have defined in ADFS' relying party's signature tab.

    The protocol used is SAML 2.0. Probably I got lucky and didn't ran into GZip.


    Tuesday, October 25, 2016 9:51 AM
  • The GZip format is used when the parameter is a query string in the URL. URL have a size limit, so the GZip is to workaround this limitation. If the SAML request is in the content of the page, then no need for GZip :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 26, 2016 2:00 PM
  • Thank you, Pierre. Appreciated.
    Wednesday, November 2, 2016 1:55 PM