如何验证 SAML 签名值 [英] How to validate a SAML signature value
问题描述
我有一位客户正在发送安全密钥.他们使用的加密是三重 DES.他们发送的每个断言都有一个签名值,需要对其进行验证以授予他们必要的权限.你能给我一个执行此操作的示例代码吗?
I have a customer who is sending a Security key. The encryption they are using is triple DES. Every Assertion they send has a signature value which needs to be validated to give them necessary privileges. Can you give me a sample code which does this?
推荐答案
加密和签名是两种不同的动物.三重 DES 是一种对称密钥方法(用于加密和解密的相同密钥).另一方面,数字签名使用非对称密钥(私钥/公钥对),其中签名是使用私钥计算的,并且可以使用公钥进行验证.因此,如果您的客户想要在他们发送给您的 XML 中包含签名,那么他们需要向您提供他们的公钥.
Encryption and signing are two different animals. Triple DES is a symmetric key method (same key used for encryption and decryption). Digital signatures, on the other hand, use asymmetric keys (private/public key pair), where the signature is computed using the private key, and can be validated using the public key. So if your customer wants to include signatures in XML they send you, then they need to provide you with their public key.
对于加密,SAML 中的典型做法是使用 XMLEncryption,它定义了一种 XML 格式,用于在您的 SAML 消息中包含加密密钥信息和加密数据.由于静态对称密钥的交换是有问题的——如果它被拦截,拦截器可以加密和解密任何消息——可以做的是使用为每条消息重新生成的动态对称密钥,加密消息使用密钥,然后使用私有/公共加密密钥对的公钥加密该密钥,并将其与消息一起发送.加密的对称密钥只能使用用于加密它的密钥对的私有部分来解密.
For encryption, what is typical in SAML is to use XMLEncryption, which defines an XML format for including encryption key information and encrypted data in your SAML messages. Since exchange of a static symmetric key is problematic -- if it's intercepted, the interceptor can both encrypt and decrypt any messages -- what can be done instead is to use a dynamic symmetric key that gets generated anew for each message, encrypt the message using the key, then encrypt that key with the public key of a private/public encryption key pair and send it along with the message. The encrypted symmetric key can only be decrypted using the private half of the key pair used to encrypt it.
所以这里最显着的区别,从密钥的角度来说,就是签名时,客户持有私钥,必须与你共享公钥,而加密时,你持有私钥,必须共享公钥与客户一起.
So the most significant difference here, from a key perspective, is that for signing, the customer holds the private key and must share the public key with you, while for encryption, you hold the private key and must share the public key with the customer.
这篇关于如何验证 SAML 签名值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
