they say the whole point is I need to do whatever it is I need to do with it?! with my own key - presumably my private key - in order to validate the signature.
That doesn't sound right to me. The way PKI works in general is that you verify a signature against the public key of the signer and that is, as you hinted, the certificate (which is in essence a public key) which is transmitted as part of the SAML assertion. You should not have sent the signer your public key for them to use in signing because it will be useless to them. The signer signs with their private key and the recipient validates it with the signer's public key.
Top tip number 1: use the XML::Sig that comes with Net::SAML2. It is in better shape than the standalone version on CPAN.
Top tip number 2: check everything as you go along in your script and add debugging statements at every turn: extracting the cert, extracting the sig, extracting the signed data, validating that the cert is the one you are expecting, validating the sig, etc. It's very easy to get confused with all this so the more debugging you have the better.
I've wrestled with this kind of thing several times and it seems that every implementation of SAML is subtly different so be prepared to massage the XML into some sort of standard form.
Good luck.
In reply to Re: Validating XML Signatures / SSL Certificate question (using Net::SAML)
by hippo
in thread Validating XML Signatures / SSL Certificate question (using Net::SAML)
by MattP
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |