如何验证SAML签名值 [英] How to validate a SAML signature value
问题描述
我有一个客户正在发送安全密钥.他们使用的加密是三重DES.他们发送的每个断言都有一个签名值,需要对其进行验证才能赋予他们必要的特权.能给我一个示例代码吗?
I have a customer who is sending a Security key. The encryption they are using is triple DES. Every Assertion they send has a signature value which needs to be validated to give them necessary privileges. Can you give me a sample code which does this?
推荐答案
加密和签名是两种不同的动物.三重DES是一种对称密钥方法(用于加密和解密的密钥相同).另一方面,数字签名使用非对称密钥(私钥/公钥对),其中签名是使用私钥计算的,并且可以使用公钥进行验证.因此,如果您的客户想要在发送给您的XML中包含签名,则他们需要向您提供其公钥.
Encryption and signing are two different animals. Triple DES is a symmetric key method (same key used for encryption and decryption). Digital signatures, on the other hand, use asymmetric keys (private/public key pair), where the signature is computed using the private key, and can be validated using the public key. So if your customer wants to include signatures in XML they send you, then they need to provide you with their public key.
对于加密,SAML中的典型做法是使用XMLEncryption,它定义了一种XML格式,用于在您的SAML消息中包括加密密钥信息和加密数据.由于交换静态对称密钥是有问题的-如果被拦截,拦截器可以加密和解密任何消息-可以做的是使用为每个消息重新生成的动态对称密钥,使用密钥,然后使用专用/公用加密密钥对中的公用密钥对该密钥进行加密,并将其与消息一起发送.加密的对称密钥只能使用用于加密对称密钥的私钥对来解密.
For encryption, what is typical in SAML is to use XMLEncryption, which defines an XML format for including encryption key information and encrypted data in your SAML messages. Since exchange of a static symmetric key is problematic -- if it's intercepted, the interceptor can both encrypt and decrypt any messages -- what can be done instead is to use a dynamic symmetric key that gets generated anew for each message, encrypt the message using the key, then encrypt that key with the public key of a private/public encryption key pair and send it along with the message. The encrypted symmetric key can only be decrypted using the private half of the key pair used to encrypt it.
因此,从密钥角度来看,这里最重要的区别在于,对于签名,客户拥有私钥,并且必须与您共享公共密钥;而对于加密,则您拥有私钥,并且必须共享公共密钥.与客户.
So the most significant difference here, from a key perspective, is that for signing, the customer holds the private key and must share the public key with you, while for encryption, you hold the private key and must share the public key with the customer.
这篇关于如何验证SAML签名值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
