Solved: SAML - Audience restriction and Signature check

Report Inappropriate Content · 10-08-2015 08:12 AM

Hi all, my question is how to implement on apigee an audience restriction and a signature check on SAML validation step.

Thanks

Cosimo

gnanasekaran

yes thanks @Anil Sagar for the link,

Signature check is handled by the saml assertion policy - http://apigee.com/docs/api-services/reference/saml...

For audience restriction - you could do extract it using xpath and do the validation

Thanks,

View solution in original post

anilsr

@Cosimo , Find similar question answered here. Please let us know if it resolves same.

gnanasekaran

yes thanks @Anil Sagar for the link,

Signature check is handled by the saml assertion policy - http://apigee.com/docs/api-services/reference/saml...

For audience restriction - you could do extract it using xpath and do the validation

Thanks,

Report Inappropriate Content

Hi Mukundha, about signature check do you mean that is automtically verified or i have to implement some coding? Please let me know because trhought the online reference documentation i did'nt get.

Thanks

Cosimo

gnanasekaran

yes Cosimo, Signature is verified by the policy, no need for coding.

http://apigee.com/docs/api-services/reference/saml-assertion-policy#usage-validatesamlassertion

Report Inappropriate Content

Yes, as a somewhat simple test, I did the following:

I grabbed an unsigned saml response from here:https://www.samltool.com/generic_sso_res.php
Generated a key and cert using openssl
signed the saml assertion in step 1 using my key and cert from step 2 using this tool: https://www.samltool.com/sign_response.php
uploaded the cert from step 2 to the apigee truststore
configured the validate assertion policy to use the truststore in step 4
used postman to post the signed saml response from step 3 to my proxy
Successfully validated the saml response