locked
verifying digital signature on saml2Securitytoken RRS feed

  • Question

  • How do we verify the digital signature on the token after we recieve it over method call

     

    I need to verify digital signature on this which was signed by my service using x509 certificate


    ajit
    SecurityTokenHandlerCollection coll = new SecurityTokenHandlerCollection {new Saml2SecurityTokenHandler()};
    MemoryStream st = new MemoryStream(signedToken);
    XmlTextReader reader = new XmlTextReader(st);
    Saml2SecurityToken securityToken = coll.ReadToken(reader) as Saml2SecurityToken;
    Friday, January 7, 2011 7:54 PM

Answers

All replies

  • do you use the token with wcf? If so then Wcf already verifies it for you.

    to be convinced, generate a non valid signature somehow (e.g. use a non valid certificate, or use custom encoder to change the signature after it is generated) and see that the client throws an exception.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Friday, January 7, 2011 8:17 PM
  • Nope I am not using wcf to do any checking I have generated this token in code and passed it as byte[] to client.

     Or do you mean WCF will check the signature validity of token when making a call  coll.ReadToken(reader) ?


    ajit
    Friday, January 7, 2011 8:26 PM
  • you can always generate an invalid signature (or tamper the data) and see what wcf reports.

    since you're not doing anything specific to wcf here, just signing xml, you can use the general xml digital signature verification process:

    http://msdn.microsoft.com/en-us/library/ms229950.aspx


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Friday, January 7, 2011 8:31 PM