Embed SAML Verification Signature (the SP Signing Public Cert) to the the AuthnRequest

[rebornjoe]

I've tried to look for any references to do this but thought that it might not be possible with the library. Some Identity Providers require that the signing certificate be embedded in the AuthnRequest in order for the IdP to verify the request as well as match the subject DN and confirm if the certificate was signed by a CA. Is there any documentation on how to achieve this? Thank you

[cjbarth]

Do you have a sample of what you are looking for? Also, could you reference the SAML spec that mentions that this should be, or may be, provided in the AuthnRequest?

[rebornjoe]

Hello! I was looking to implement/make use of something like the AuthnRequest below with an HTTP-POST Binding and including the x.509 public certificate in the key info as part of the signature.

In the core specification, []http://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf , there are references to ds:KeyInfo like page 20 (line 824)

The KeyInfoConfirmationDataType complex type constrains a <SubjectConfirmationData>
element to contain one or more <ds:KeyInfo> elements that identify cryptographic keys that are used in
some way to authenticate an attesting entity. The particular confirmation method MUST define the exact mechanism by which the confirmation data can be used. The optional attributes defined by the
SubjectConfirmationDataType complex type MAY also appear.
This complex type, or a type derived from it, SHOULD be used by any confirmation method that defines its
confirmation data in terms of the <ds:KeyInfo> element.

[](https://www.samltool.com/generic_sso_req.php

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

[cjbarth]

I must be missing something. I don't see either KeyInfoConfirmationDataType, SubjectConfirmationData, or SubjectConfirmationDataType anywhere in the provided sample. In any case, we'd be willing to review a PR with tests to this effect.

[ganesha289]

@rebornjoe, Did you get any resolution for this? I'm facing the same issue and not able to add "KeyInfo" in AuthnRequest.

[prasad-mhatre-incontact]

@rebornjoe, Did you get any resolution for this? I'm facing the same issue and not able to add "KeyInfo" in AuthnRequest.

Same error for me too. Any further work has been done here?

[cjbarth]

As mentioned above, we are eager to have the community help enhance this project through contributions. Please feel free to submit a PR to add these features and the maintainers will do their best to help get it landed.

[ganesha289]

@cjbarth, PR raised for this issue fix. Can you please review.
PR - node-saml/node-saml#36

[ducminhn]

Hi @ganesha289 or @cjbarth ,

I'm wondering if there's any progress on this issue.

Thanks,
Minh

[cjbarth]

I'm working on a new release of xml-crypto, but otherwise it looks like there hasn't been any movement on that particular PR. You can fork that PR and help it along and then make a new PR if you want. All help is appreciated.