Versions Compared

Old Version 10

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version 11

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Verify the Digital Signature

  1. Check the exp Claim: First, verify the exp (Expiration Time) claim in the JWS payload. Ensure that the current timestamp is before the specified expiration time. If the data is past its expiration time, it should not be considered valid.

  2. Validate the Digital Signature: To verify the authenticity of the metadata, use the alg (Algorithm) and x5t#S256 header claims in the JWS header.

    • alg Claim: Ensure that the algorithm specified in the alg claim matches the one used for signing (e.g., "ES256" for ECDSA with P-256 and SHA-256).

    • x5t#S256 Claim:  This claim specifies the thumbprint of the X.509 certificate that corresponds to the signing key used for creating the JWS. To ensure trust and authenticity in the metadata exchange process, it is imperative that this thumbprint matches the thumbprint of the X.509 certificate contained within the SAML metadata.

      • Retrieve the Certificate: Begin by extracting the X.509 certificate from the SAML metadata. This certificate is found within the <ds:X509Certificate> element, which resides inside the <grie:GroupRepresentative> element.

      • Calculate the Thumbprint: Calculate the thumbprint of the retrieved X.509 certificate (see Understanding the x5t#S256 Header Claim).

      • Comparison: Compare the calculated thumbprint with the value of the x5t#S256 claim in the JWS header. If these thumbprints do not match, it indicates a potential security issue, and the metadata should not be trusted.

    • alg Claim: Ensure that the algorithm specified in the alg claim matches the one used for signing (e.g., "ES256" for ECDSA with P-256 and SHA-256).
    • Validate the Signature:
  3. Check the exp Claim: Verify the exp (Expiration Time) claim in the JWS payload. Ensure that the current timestamp is before the specified expiration time. If the data is past its expiration time, it should not be considered valid.

  4. Check the Issuer (iss) Claim: Verify that the iss (Issuer) claim in the JWS payload matches the expected issuer URI. This ensures that the metadata is coming from a trusted source.

  5. Validate the iat Claim: Ensure that the iat (Issued At) claim is a valid NumericDate representing the time when the data was issued.

...