How SAML Assertion digest value in SAML 2 response is calculated

allen576 · September 23, 2021, 9:18am

In my SAML response, my saml assertion payload is as follows. Please let me know how digest value eMSIo0TAEwhm83fA1ZJktoPuoAyO0eJ2B42CroSPKd8= is calculated on OKTA end?
I followed steps:

Remove ds:Signature element
Canonicalize remaining XML payload
Apply SHA-256 algorithm to calculate the hash value
However I got a different result. Can you please let me know which part I did wrong?

FYI, when I configured my app not returning any attributes (i.e. saml2:AttributeStatement does not show up in SAML assertion), above mentioned steps can be used to calculate same hash value. I suspect “saml2:AttributeStatement” impact the hash calculation but not sure.

<saml2:Assertion ID="id2972874120297864224575818"
                     IssueInstant="2021-09-23T09:10:38.921Z"
                     Version="2.0"
                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
                     >
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      >http://www.okta.com/exk1mv3c9ke9u3tz25d7</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#id2972874120297864224575818">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="xs"
                                                    xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>eMSIo0TAEwhm83fA1ZJktoPuoAyO0eJ2B42CroSPKd8=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>ZHwHop8agUDRMKPTfdXFJ2nGyidyLh4a0Kahbl+fh7TCipdr4HpCB1sQPlCNBpTK2FsnPxuWfIi2jVzy+EyNhz0ciKqP+tpaHUuZsrmN9A4BEZ0uimPqDr6Pm+jvAKGYHvH/Peydo+0i44/2BuMgQfxMo4DNDPRM2ketsVK3qVEKuia46qj3zrCif7a99uFKShPn5+2HCryjDojndhOhsD6ivzo/ePv9z9i56gzml7VWkACxeOw7MMNFiDxIUWDIv+bB947ARqJOZt2SkZOFrWzMKPDXabyJs+CuY1rk+k6wzPr5Qrc8XsL4ZyUDeLvMPPFpCI6d7knqAthzE05vTw==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAXuZVYXCMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi03ODI5NzAxNDEcMBoGCSqGSIb3DQEJ
ARYNaW5mb0Bva3RhLmNvbTAeFw0yMTA4MzAyMzExMDRaFw0zMTA4MzAyMzEyMDNaMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi03ODI5NzAxNDEc
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIJW9g9j6yyfldAj9cmKU7QaoFcWwM54gtNOekwVGCx42OQByzDQOZKc6KqYaXM5pLnDj7Ys
+gkZfmzmmkHh9iQLCMKW/1GMv1TFp2CcNW9qeHsvgwEwOtCoZDJYmU2uOP1J/urFOJQxj+V7gRZ+
gk3MBCnaFOm6ZGvAlzQjFyTU3buzUxkqKRlF9WkhXP5LItoP3wpbNnV7r0lIB4Ng2MskDHcm1qQY
dDuAlOrgZzPKjqea3lXBWGLjPITkCT0vzpg/sOweWN1T+vXn+cpWrJ4/KkXj2Q31Kn8Nk43Yd/KB
TVkJH4qAcdF4S6J5hppBSibSdlxHvk0tNn/jutx1hVECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
NI8upBCPCFp4n3iHgx8AhiTtP8RGHru3Mq0Jsl5NeuPLF12B4UQO7Fpj26xztWKH/qpwUBjcHwnx
iR9VvdhtZ+coQoPBx3kWTtvHQAiHfGX1uOjJ2AO4ddxYnhDFhPH8P1s4H/3RA/wusEVpyAZoubqt
ZUxnPfE0Jgz394dCDWpzOkqY6rtBsb4xFtgmCSXg5QLwmIIHBh6oxN4Au/2OVJ7uckk7LOg++oxY
o6N+pBEZ4YG8zoxCNjhrbm2rD95pFQm38imK/6uUPMv8uuu6PXNffvWy4Lvb29pyVyNDVUb/13yp
SN5Ld1Dkrt+hXwBclTUYx70rl0+mE1pApThsAg==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">allen.li@crypto.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="a2f3g4603ig7i3h650993ejb8ca63bd"
                                               NotOnOrAfter="2021-09-23T09:15:38.921Z"
                                               Recipient="http://localhost:8080/saml/SSO"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2021-09-23T09:05:38.921Z"
                          NotOnOrAfter="2021-09-23T09:15:38.921Z"
                          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>http://localhost:8080/saml/metadata</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2021-09-23T09:10:38.921Z"
                              SessionIndex="a2f3g4603ig7i3h650993ejb8ca63bd"
                              xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                              >
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="group"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >SUPERVISOR</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>

allen576 · September 27, 2021, 3:28am

Issue resolved. There is a gap between OKTA performing Canonicalization and what is provided in Java org.apache.xml.security.c14n.Canonicalizer.getInstance(String). In Java implementation they deleted namespace xmlns:xs=“XML Schema”, but OKTA kept it. After I added this namespace in canonicalized SAML Assertion and calculated digest value, I got same value as OKTA.

system · February 8, 2024, 7:31pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.