XML Authors: Liz McMillan, Elizabeth White, Sandi Mappic, Max Katz, Yakov Fain

Related Topics: XML

XML: Blog Feed Post

More SAML: Validating a SAML 2.0 Assertion

Simple Steps for Validation

It's simple to setup the validation of a signed SAML 2.0 assertion in a Vordel XML Gateway. In a circuit, chain together (1) an "XML Signature Verification" filter (which you can find in the "Integrity" group on the right-hand-side of Policy Studio), and (2) a "SAML Authentication" filter (which you can find in the "Authentication" group).

With XML Signature Verification filter, make sure that the SAML assertion is selected under "What must be signed". In the filter to validate the SAML assertion, make sure that it's a SAML 2.0 assertion.

Really what we are doing here is first verifying the SAML assertion (i.e. checking it's trusted, using its signature) and then validating it (making sure it's the right format). By checking the trust first, we are ensuring that we are not wasting time validating an untrusted SAML assertion. It is important to understand the difference between verifying and validating a token like this. The configuration for the validation step is shown below:

To test this circuit, I am using the SOAPbox testing tool.

We see on the Response screen of SOAPbox that the assertion we've sent is indeed valid. If you change its signature in any way, the Vordel Gateway will reject it. Grab an evaluation of the Vordel Gateway here.

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.