可以WIF Saml2SecurityTokenHandler验证顶级签名？ [英] Can WIF Saml2SecurityTokenHandler validate top-level signature?

问题描述

请参阅本（简装）SAML 2.0的反应：

See this (stripped-down) SAML 2.0 response:

<samlp:Response>
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lkasjdflkasj</saml:Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <!--<snip>-->
  </Signature>
  <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion>
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lkasjdflkasj</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">jsmith</saml:NameID>
      <!--<snip>-->
    </saml:Subject>
    <!--<snip, but there was NOT a Signature node inside the assertion>-->
  </saml:Assertion>
</samlp:Response>

在下面的code，XML读取器被设置为发送刚＆LT;断言＆GT; 片SAML 2.0的反应：

In the code below, the xml reader is set to send just the <Assertion> piece of the SAML 2.0 response:

var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
var token = handlers.ReadToken( myXmlReader );
var identities = handlers.ValidateToken( token );

如果在＆LT;签名＆GT; 节点是断言的一部分，那么 ValidateToken（）将验证它使用配置设置，例如： issuerNameRegistry （例如，在<一个href="http://stackoverflow.com/questions/28845076/wif-config-issuernameregistry-vs-certificatevalidation">this问题）。

If the <Signature> node is part of the assertion, then ValidateToken() will verify it using config settings, e.g. issuerNameRegistry (example in this question).

但是，如果签名是在较高的水平（即整个XML签名，而不仅仅是断言），然后我们会得到这样一个例外：

But if the signature is at a higher level (i.e. the whole xml is signed, not just the assertion), then we'll get an exception like:

ID4152：在Saml2SecurityToken无法验证，因为IssuerToken属性未设置​​。无符号SAML2：断言无法验证

ID4152: The Saml2SecurityToken cannot be validated because the IssuerToken property is not set. Unsigned SAML2:Assertions cannot be validated.

我是否理解正确，如果＆LT;签名＆GT; 只存在于整体XML响应，我不能叫 ValidateToken ，而必须恢复到更通用的功能，如的 SignedXml.CheckSignature ？

Am I understanding correctly that if the <Signature> exists only on the overall xml response, that I cannot call ValidateToken and must instead revert to more general-purpose features such as SignedXml.CheckSignature?

推荐答案

OK，你的确是真正的解析信息SAML2。 WIF不支持。 WIF可能认为这一个无符号的断言。

OK, indeed you are parsing real SAML2 messages. WIF does not support that. WIF probably considers this an unsigned Assertion.

我将不得不挖与反射​​器和/或参考来源。 任何方式，你必须做的解析和验证自己。我个人不使用SignedXml。也许这是可能的。它有其他副作用。欢迎来到我的领域。

I would have to dig in with Reflector and/or the reference source. Any way you would have to do the parsing and verification yourself. And I personally do not use SignedXml. Maybe it is possible. It has other side effects. Welcome to the mine field.

著名的参考文章：https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf

The famous reference article: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf

这篇关于可以WIF Saml2SecurityTokenHandler验证顶级签名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！