Validating SAML signature in python
--------------------------------------------------
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------
Music by Eric Matyas
https://www.soundimage.org
Track title: Techno Intrigue Looping
--
Chapters
00:00 Validating Saml Signature In Python
01:53 Answer 1 Score 1
02:11 Accepted Answer Score 2
02:40 Thank you
--
Full question
https://stackoverflow.com/questions/2120...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #xml #authentication #saml #m2crypto
#avk47
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------
Music by Eric Matyas
https://www.soundimage.org
Track title: Techno Intrigue Looping
--
Chapters
00:00 Validating Saml Signature In Python
01:53 Answer 1 Score 1
02:11 Accepted Answer Score 2
02:40 Thank you
--
Full question
https://stackoverflow.com/questions/2120...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #xml #authentication #saml #m2crypto
#avk47
ACCEPTED ANSWER
Score 2
I faced the same problem, and had to develop a module for it: https://github.com/kislyuk/signxml. I chose to rely only on PyCrypto and pyOpenSSL, since M2Crypto is less popular and not well-maintained, which is a hazard from both compatibility (e.g. PyPy) and security perspectives. I also use lxml for the canonicalization (c14n). From the signxml docs:
from signxml import xmldsig
cert = open("example.pem").read()
key = open("example.key").read()
root = ElementTree.fromstring(data)
xmldsig(root).verify()
ANSWER 2
Score 1
You need to canonicalize the signed info before validating the signature. That's what the transformation tag implies. Basically, since the same XML can be formatted differently, one needs to validate an XML signature in a canonical format.