Does the SAMLServiceProvider.ReceiveSSO method verify XML signatures when it processes the SSO response (in IdP-initiated SSO)?
With the provided MvcExampleIdentityProvider and MvcExampleServiceProvider running on IIS on localhost, I can change the .pfx file referenced in the ServiceProvider node of the service provider’s saml.config, rebuild and publish, and the SSO will still go through from the identity provider through the service provider without any errors being thrown. I had expected that the SAMLServiceProvider.ReceiveSSO method would throw an exception because it would not be able to validate the XML signature. I have WantSAMLResponseSigned set to true in the PartnerIdentityProvider section of the service provider, and also have SignSAMLResponse set to true in the PartnerServiceProvider section of the identity provider.
If WantSAMLResponseSigned is set to true SAMLServiceProvider.ReceiveSSO will throw an exception if the signature verification fails.
Changing the PFX file on the SP won’t affect this signature verification. It’s the CER file specified for the that’s used when verifying XML signatures from that partner IdP.
Here’s the entry from the MvcExampleServiceProvider’s saml.config.
The idp.cer certificate is used to verify signatures from the MvcExampleIdentityProvider.
If you change this to use a different certificate file then signatures will not verify.
<PartnerIdentityProvider Name=“urn:componentspace:MvcExampleIdentityProvider”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“http://localhost/MvcExampleIdentityProvider/SAML/SSOService”
SingleLogoutServiceUrl=“http://localhost/MvcExampleIdentityProvider/SAML/SLOService”
CertificateFile=“idp.cer”/>
Xml namespace to verify XML data signed with a digital signature. XML digital signatures (XMLDSIG) allow you to verify that data was not altered after it was signed.