I have integrated my own application with okta to support SAML SSO and SLO services. When verifying the signature where both response(message) and assertion are signed, only the assertion signature is valid while the response signature fails. I would like to know how to verify signature in detail if possible. I’m new to this concept and I’m using Okta as IdP for self learning. And I would really appreciate if you provide me with the detailed procedure for decrypting the encrypted assertion. I use java for development. I tried various decryption and signature validation methods but none of them worked properly.
I have implemented SAML in a custom Java application using Okta as IdP but I’m not using Okta’s Java SDK. I have issues in 2 cases.
When I try to decrypt the encrypted assertion from the response received, the function that does decryption either fails or provides me with the wrong encrypted data. Is there any particular method or parameters to be considered when decrypting? If so, can you provide me with a clear documentation of the process to decrypt.
I could receive responses signed in multiple formats - either only response(message) signed, only assertion signed, or both response and assertion signed. While verifying the signature, signature verification shows the signature as valid when only response is signed or only assertion is signed. When both response and assertion are signed, only the assertion signature is valid while the response signature becomes invalid. Am I missing out anything during signature verification in this case as I tried to verify the response signature both with and without the assertion signature. I haven’t tried verifying signed assertion inside encrypted assertion as decryption fails for me.
It would be really helpful if you provide me with the steps for decryption and signature verification in SAML using Okta as IdP.
Thanks in advance.