Uses of two certificates and one signature

Question

I am currently working on a SSO feature for a client.

Our application, if there is a need, will authenticate using the SSO feature on startup, and abort if it fails.

I have read many explanations and seen many examples online.

The thing that I don't understand at all is the certificates. Specifically, there seems to be two (different?) certificates used in the operation. One of them is stored on my side as a constant, and the other is sent in the SAML Response in the Signature Element like this:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <ds:Reference URI="#id-2710abae3b0457ad0c241eac043769ae78c83189">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>???</ds:DigestValue>
        </ds:Reference>
        <ds:Reference URI="#id-266b413f5282d3da62de3963e5e25cb0782e1a05">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>???</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>???</ds:SignatureValue>
    <ds:KeyInfo Id="id-266b413f5282d3da62de3963e5e25cb0782e1a05">
        <ds:X509Data>
            <ds:X509Certificate>???</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>

The fields marked as "???" have not been given to me by the client in the sample response.

As for the other certificate, a good example of it would be here: https://github.com/onelogin/dotnet-saml in "App_Code/AccountSettings.cs".

Furthermore, there is also a signature in the XML, and two "DigestValue" fields that seem to also contain Base64 data in other online examples.

So my question is: Is the local certificate the same as the xml one, and if not, how exactly are they related, and are the signature and DigestValues relevant in that relationship?

As for context, I am trying to test my SSO feature, and everything seems to work except for the certificate, which I can't figure out how to test without real values. Can this be faked? SignedXml.CheckSignature always seems to return false no matter what I put in the XML, even "real" examples (found online).

Answer 1

SAML is based on a circle of Trust.

IdPs trust on SPs and SPs trust on IdPs.

The way that "trust" is implemented is that IdPs need to register SPs metadata (entityID, endpoints and public certs for validate signature and encrypt), and in the same way SPs needs to register IdPs metadata.

Based on your message, it seems you are implementing an SP, so the first step is to register on the SP the IdP metadata, once done, at the SP you will have stored IdP Entity ID, its endpoints as well as the public certificate of the IdP. That certificate MUST match the ds:X509Certificate value of the Signature included on the SAMLResponse sent by the IdP to the SP during the SSO process.