The SAML web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

signing and public key question

I'm new to SAML and have a question concerning the signing process.  Forgive me if it seems a little stupid.

What is there to stop a malicious 3rd party from creating private and public keys of their own, then creating a fake assertion, sign it with the private key and include the public key in the x509 certificate inside the SAML response?  To the consuming provider, the assertion would appear to come from a trusted identifying provider and be legitimately signed when verified against the enclosed public key.

Obviously, if the consuming party had its own copy of the identifying provider's public key this would not be an issue.





You're falling into the usual trap of misunderstanding the meaning of KeyInfo in a signature. It does not mean "trust this key", it means "this is the key that was used".

Knowing the key ahead of time via metadata is one SAML-based solution to the trust problem, but there are many others, all of which are out of scope.

You need to read up on XML signatures and PKI in general.This issues comes up frequently on the Apache xml-security list.

-- Scott Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I