Anonymous_User Absent Member.
Absent Member.
415 views

Signing entire SAML Response using Certificate


Hi,

We are trying to integrate with one of the Service Provider using SAML
2.0 post profile mechanism. It was agreed with the Service Provider that
SAML Assertion will be encrypted and entire SAML Response will be Signed
by the Certificate.

Novell SAML configurations are completed and SAML response was
generated, signed and posted to the Service provider application.
Service provider is not able to decrypt the response, they complained
that SAML Assertion is signed not the entire SAML Response.

We have followed the default SAML configurations available in Novell to
generate and sign the Response. Appreciate any inputs to resolve this
issue. I am pasting below the SAML Response generated by the Novell
Configuration.


--
karthikeyan_palanisamy
------------------------------------------------------------------------
karthikeyan_palanisamy's Profile: http://forums.novell.com/member.php?userid=90439
View this thread: http://forums.novell.com/showthread.php?t=421373

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Signing entire SAML Response using Certificate

karthikeyan palanisamy wrote:

>
> Hi,
>
> We are trying to integrate with one of the Service Provider using SAML
> 2.0 post profile mechanism. It was agreed with the Service Provider
> that SAML Assertion will be encrypted and entire SAML Response will
> be Signed by the Certificate.
>
> Novell SAML configurations are completed and SAML response was
> generated, signed and posted to the Service provider application.
> Service provider is not able to decrypt the response, they complained
> that SAML Assertion is signed not the entire SAML Response.
>
> We have followed the default SAML configurations available in Novell
> to generate and sign the Response. Appreciate any inputs to resolve
> this issue. I am pasting below the SAML Response generated by the
> Novell Configuration.


i reckon this is working as designed. Maybe tell the people who manage
the ESP side to only expect the assertion to be signed and not the
entire response. Wanting to change this will probably be impossible
from the UI (or any commandline options).

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Signing entire SAML Response using Certificate


Hi Edward,

Thanks for the response. Please refer any documenation to confirm the
product design to sign only the SAML Assertion not the entire SAML
response.

Regards
Karthik


--
karthikeyan_palanisamy
------------------------------------------------------------------------
karthikeyan_palanisamy's Profile: http://forums.novell.com/member.php?userid=90439
View this thread: http://forums.novell.com/showthread.php?t=421373

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Signing entire SAML Response using Certificate

karthikeyan palanisamy wrote:

>
> Hi Edward,
>
> Thanks for the response. Please refer any documenation to confirm the
> product design to sign only the SAML Assertion not the entire SAML
> response.
>
> Regards
> Karthik


I'd try here:
http://www.novell.com/documentation/novellaccessmanager31/identityserver
help/?page=/documentation/novellaccessmanager31/identityserverhelp/data/
bookinfo.html

As I said in my earlier post. I'm not sure what the expected behaviour
is but NAM isn't all that flexible now and then so it would probably be
easier to change the ESP side if that is an option.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Signing entire SAML Response using Certificate


I think some of that depends on what's requested, can you use SP
initiated auth? and if so, the authnRequest can ask for the response to
be signed among other things like RequestdAuthContext, etc....
I'm not seeing how you would configure NAM to sign the response in the
Trusted Provider config.


--
Thanks!
ETB
------------------------------------------------------------------------
barragae's Profile: http://forums.novell.com/member.php?userid=1766
View this thread: http://forums.novell.com/showthread.php?t=421373

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Signing entire SAML Response using Certificate


Hi Edward,

Can we set the order of preference for SAML Assertion Encryption and
Signature? I mean Enrcyption first and Signature next vice versa..

Regards
Karthik


--
karthikeyan_palanisamy
------------------------------------------------------------------------
karthikeyan_palanisamy's Profile: http://forums.novell.com/member.php?userid=90439
View this thread: http://forums.novell.com/showthread.php?t=421373

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Signing entire SAML Response using Certificate

karthikeyan palanisamy wrote:

>
> Hi Edward,
>
> Can we set the order of preference for SAML Assertion Encryption and
> Signature? I mean Enrcyption first and Signature next vice versa..


Not that I'm aware of unfortunately.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.