Need clear documentation on SAML support in Okta. Issue in decrypting encrypted SAML response and verifying signature when both response(message) and assertion are signed

shree0210 · April 19, 2023, 4:41am

I have integrated my own application with okta to support SAML SSO and SLO services. When verifying the signature where both response(message) and assertion are signed, only the assertion signature is valid while the response signature fails. I would like to know how to verify signature in detail if possible. I’m new to this concept and I’m using Okta as IdP for self learning. And I would really appreciate if you provide me with the detailed procedure for decrypting the encrypted assertion. I use java for development. I tried various decryption and signature validation methods but none of them worked properly.

I have implemented SAML in a custom Java application using Okta as IdP but I’m not using Okta’s Java SDK. I have issues in 2 cases.

First case:
When I try to decrypt the encrypted assertion from the response received, the function that does decryption either fails or provides me with the wrong encrypted data. Is there any particular method or parameters to be considered when decrypting? If so, can you provide me with a clear documentation of the process to decrypt.

Second case:
I could receive responses signed in multiple formats - either only response(message) signed, only assertion signed, or both response and assertion signed. While verifying the signature, signature verification shows the signature as valid when only response is signed or only assertion is signed. When both response and assertion are signed, only the assertion signature is valid while the response signature becomes invalid. Am I missing out anything during signature verification in this case as I tried to verify the response signature both with and without the assertion signature. I haven’t tried verifying signed assertion inside encrypted assertion as decryption fails for me.

It would be really helpful if you provide me with the steps for decryption and signature verification in SAML using Okta as IdP.

Thanks in advance.

phi1ipp · April 19, 2023, 11:41pm

I think it’d be helpful for you to search some documentation on SAML libraries. I once tried to handle SAML assertion validation/processing… It was a pain. Then I grabbed some library to help me with that, and it worked from the first time.
Actually here I’ll again point you to number 1, try to use a well established and reputable library to help you with your task.
It might help to check on SO something about “SAML assertion validation”, which is a true nature of your question, rather than Okta specific problem.

Sorry for not being able to directly answer your question. Also, it’d be helpful if you’d place some code which does the processing for you, as your inquiry is too generic and there can be multiple reasons why it can fail for your validation/processing.

Good luck with your journey!

erik · April 20, 2023, 7:32am

Hello,

Okta does not provide SAML SDKs as it does for OAuth2/OIDC applications.

Popular options would be

Spring Security
Java SAML (never used)

If you want more low level control shibboleth.

Thank You,

Post		Replies	Views
SAML Signature validation failed in ASP.NET when Assertion Signature signed SAML	2	5860	January 18, 2024
Signing SAML Assertion in Okta as IDP with CA signed certificate SAML	2	3760	May 24, 2021
SAML Assertion - "Invalid signature for object [id...]" SAML	2	4590	April 20, 2022
Certificate validation for SAML SAML saml	2	6537	April 24, 2019
Invalid assertion for SAML Assertion Flow SAML	5	5019	July 7, 2021

Need clear documentation on SAML support in Okta. Issue in decrypting encrypted SAML response and verifying signature when both response(message) and assertion are signed

Related topics