Versions Compared

Old Version 6

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version 7

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sign the JWS using the recommended algorithm, ECDSA with P-256 and SHA-256 ("ES256"). Ensure that you include the required headers in the JWS, such as alg and x5t#S256, as specified in the specification.

Understanding the x5t#S256 Header Claim

Anchor
x5t_S256
x5t_S256
a[name="x5t_S256"]

In the process of creating the JWS, it's essential to include the x5t#S256 header claim. This claim plays a crucial role in preserving the accuracy and security of the metadata. x5t#S256 stands for "X.509 Certificate SHA-256 Thumbprint," and it serves as a fingerprint thumbprint for the X.509 certificate used for signing within the SAML metadata.

Here's how to work with the x5t#S256 claim:

  1. Retrieve the Certificate: Before generating the JWS, obtain the X.509 certificate that will be used for signing the metadata. This certificate should be the same one specified in the SAML metadata.

  2. Calculate the SHA-256

...

  1. Thumbprint: Calculate the SHA-256

...

  1. thumbprint of the certificate. This involves hashing the DER-encoded certificate data using the SHA-256 algorithm to produce a unique

...

  1. thumbprint.

  2. Base64url Encoding: Once you have the SHA-256 thumbprint, base64url encode it.

  3. Include in the JWS Header: When creating the JWS, include the x5t#S256 claim in the JWS header. This claim's value should be the

...

  1. base64url encoded SHA-256

...

  1. thumbprint of the certificate. This step ensures that the JWS references the same certificate found in the SAML metadata.

By including the x5t#S256 claim with the correct certificate fingerprintthumbprint, encoded in base64url format, you establish a secure link between the JWS and the certificate used for signing, enhancing trust and authenticity in the metadata exchange process. This validation mechanism helps confirm that the metadata hasn't been tampered with and comes from the expected source.

...

  1. Check the exp Claim: First, verify the exp (Expiration Time) claim in the JWS payload. Ensure that the current timestamp is before the specified expiration time. If the data is past its expiration time, it should not be considered valid.

  2. Validate the Digital Signature: To verify the authenticity of the metadata, use the alg (Algorithm) and x5t#S256 header claims in the JWS header.

    • alg Claim: Ensure that the algorithm specified in the alg claim matches the one used for signing (e.g., "ES256" for ECDSA with P-256 and SHA-256).

    • x5t#S256 Claim: This claim specifies the SHA-256 fingerprint thumbprint of the signing key used for the JWS. It should correspond to the fingerprint thumbprint of the certificate used for signing in the SAML metadata.

      • Retrieve the certificate from the SAML metadata, and calculate its SHA-256 fingerprintthumbprint (see .

      • Compare the calculated fingerprint thumbprint with the x5t#S256 claim in the JWS header. If they do not match, it indicates a potential security issue, and the metadata should not be trusted.

  3. Check the Issuer (iss) Claim: Verify that the iss (Issuer) claim in the JWS payload matches the expected issuer URI. This ensures that the metadata is coming from a trusted source.

  4. Validate the iat Claim: Ensure that the iat (Issued At) claim is a valid NumericDate representing the time when the data was issued.

...