Is it possible to reject SHA-1 signature at SAMLMessageSignature.Verify.
I am using public static bool Verify(XmlElement xmlElement, X509Certificate2 x509Certificate); in SAMLMessageSignature class.
It looks like this method succeeds regardless of the signature algorithm as far as any algorithm is declared in the response.
I would like to reject SHA-1 signature (weak), but I do not find such override method or configuration method.
Is it possible?
It’s possible to reject SHA-1 signatures if you’re using the high-level API. This is done through the SAML configuration.
For example:
<PartnerIdentityProvider
WantSignatureMethod=“<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"”>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”
If you’re using the low-level API, I’m afraid there isn’t a method exposed that performs this check. Instead, you should access the signature method through the XML and check it directly.
[quote][/quote]
It's possible to reject SHA-1 signatures if you're using the high-level API. This is done through the SAML configuration.
For example:
<PartnerIdentityProvider
WantSignatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
If you're using the low-level API, I'm afraid there isn't a method exposed that performs this check. Instead, you should access the signature method through the XML and check it directly.
For example:
<PartnerIdentityProvider
WantSignatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
If you're using the low-level API, I'm afraid there isn't a method exposed that performs this check. Instead, you should access the signature method through the XML and check it directly.
Thank you for the response. Can you clarify what "access the signature method through the XML" means? Do you mean parse XML by some XML parser (not ComponentSpace's functionality), find "SignatureMethod" element, and examine Algorithm attribute? Or, something else?
That’s correct. Parse the XML using the .NET framework classes.
For example:
XmlElement signatureMethodElement = samlResponseElement.SelectSingleNode(“.//*[local-name(.) = ‘SignatureMethod’ and namespace-uri(.) = ‘http://www.w3.org/2000/09/xmldsig#’]”);
string algorithm = signatureMethodElement.GetAttribute(“Algorithm”);
Thanks! It’s very helpful.
You’re welcome.