In my SAML response, my saml assertion payload is as follows. Please let me know how digest value eMSIo0TAEwhm83fA1ZJktoPuoAyO0eJ2B42CroSPKd8= is calculated on OKTA end?
I followed steps:
- Remove ds:Signature element
- Canonicalize remaining XML payload
- Apply SHA-256 algorithm to calculate the hash value
However I got a different result. Can you please let me know which part I did wrong?
FYI, when I configured my app not returning any attributes (i.e. saml2:AttributeStatement does not show up in SAML assertion), above mentioned steps can be used to calculate same hash value. I suspect “saml2:AttributeStatement” impact the hash calculation but not sure.
<saml2:Assertion ID="id2972874120297864224575818"
IssueInstant="2021-09-23T09:10:38.921Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk1mv3c9ke9u3tz25d7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id2972874120297864224575818">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>eMSIo0TAEwhm83fA1ZJktoPuoAyO0eJ2B42CroSPKd8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ZHwHop8agUDRMKPTfdXFJ2nGyidyLh4a0Kahbl+fh7TCipdr4HpCB1sQPlCNBpTK2FsnPxuWfIi2jVzy+EyNhz0ciKqP+tpaHUuZsrmN9A4BEZ0uimPqDr6Pm+jvAKGYHvH/Peydo+0i44/2BuMgQfxMo4DNDPRM2ketsVK3qVEKuia46qj3zrCif7a99uFKShPn5+2HCryjDojndhOhsD6ivzo/ePv9z9i56gzml7VWkACxeOw7MMNFiDxIUWDIv+bB947ARqJOZt2SkZOFrWzMKPDXabyJs+CuY1rk+k6wzPr5Qrc8XsL4ZyUDeLvMPPFpCI6d7knqAthzE05vTw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAXuZVYXCMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi03ODI5NzAxNDEcMBoGCSqGSIb3DQEJ
ARYNaW5mb0Bva3RhLmNvbTAeFw0yMTA4MzAyMzExMDRaFw0zMTA4MzAyMzEyMDNaMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi03ODI5NzAxNDEc
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIJW9g9j6yyfldAj9cmKU7QaoFcWwM54gtNOekwVGCx42OQByzDQOZKc6KqYaXM5pLnDj7Ys
+gkZfmzmmkHh9iQLCMKW/1GMv1TFp2CcNW9qeHsvgwEwOtCoZDJYmU2uOP1J/urFOJQxj+V7gRZ+
gk3MBCnaFOm6ZGvAlzQjFyTU3buzUxkqKRlF9WkhXP5LItoP3wpbNnV7r0lIB4Ng2MskDHcm1qQY
dDuAlOrgZzPKjqea3lXBWGLjPITkCT0vzpg/sOweWN1T+vXn+cpWrJ4/KkXj2Q31Kn8Nk43Yd/KB
TVkJH4qAcdF4S6J5hppBSibSdlxHvk0tNn/jutx1hVECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
NI8upBCPCFp4n3iHgx8AhiTtP8RGHru3Mq0Jsl5NeuPLF12B4UQO7Fpj26xztWKH/qpwUBjcHwnx
iR9VvdhtZ+coQoPBx3kWTtvHQAiHfGX1uOjJ2AO4ddxYnhDFhPH8P1s4H/3RA/wusEVpyAZoubqt
ZUxnPfE0Jgz394dCDWpzOkqY6rtBsb4xFtgmCSXg5QLwmIIHBh6oxN4Au/2OVJ7uckk7LOg++oxY
o6N+pBEZ4YG8zoxCNjhrbm2rD95pFQm38imK/6uUPMv8uuu6PXNffvWy4Lvb29pyVyNDVUb/13yp
SN5Ld1Dkrt+hXwBclTUYx70rl0+mE1pApThsAg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">allen.li@crypto.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="a2f3g4603ig7i3h650993ejb8ca63bd"
NotOnOrAfter="2021-09-23T09:15:38.921Z"
Recipient="http://localhost:8080/saml/SSO"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-23T09:05:38.921Z"
NotOnOrAfter="2021-09-23T09:15:38.921Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://localhost:8080/saml/metadata</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-23T09:10:38.921Z"
SessionIndex="a2f3g4603ig7i3h650993ejb8ca63bd"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="group"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>SUPERVISOR</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>