...
Understanding the x5t#S256 Header Claim
| Anchor | ||||
|---|---|---|---|---|
|
In the process of creating the JWS, it's essential to include the x5t#S256 header claim. This claim plays a crucial role in preserving the accuracy and security of the metadata. x5t#S256 stands for "X.509 Certificate SHA-256 Thumbprint," and it serves as a thumbprint for the X.509 certificate used for signing within the SAML metadata.
...
Check the
expClaim: First, verify theexp(Expiration Time) claim in the JWS payload. Ensure that the current timestamp is before the specified expiration time. If the data is past its expiration time, it should not be considered valid.Validate the Digital Signature: To verify the authenticity of the metadata, use the
alg(Algorithm) andx5t#S256header claims in the JWS header.algClaim: Ensure that the algorithm specified in thealgclaim matches the one used for signing (e.g., "ES256" for ECDSA with P-256 and SHA-256).x5t#S256Claim: This claim specifies the SHA-256 thumbprint of the signing key used for the JWS. It should correspond to the thumbprint of the certificate used for signing in the SAML metadata.Retrieve the certificate from the SAML metadata, and calculate its SHA-256 thumbprint (see How to Implement Group Representative Information Exchange) .
Compare the calculated thumbprint with the
x5t#S256claim in the JWS header. If they do not match, it indicates a potential security issue, and the metadata should not be trusted.
Check the Issuer (
iss) Claim: Verify that theiss(Issuer) claim in the JWS payload matches the expected issuer URI. This ensures that the metadata is coming from a trusted source.Validate the
iatClaim: Ensure that theiat(Issued At) claim is a valid NumericDate representing the time when the data was issued.
...