I'm signing my SAML requests like this:
private static void ConfigureSigningCert(this Saml2Configuration saml2Configuration, IAppSettings appSettings, IHostingEnvironment environment)
{
var certPath = Path.Combine(environment.ContentRootPath, appSettings.Saml2.SigningCertificateFile);
var cert = CertificateUtil.Load(certPath, appSettings.Saml2.SigningCertificatePassword);
saml2Configuration.SigningCertificate = cert;
saml2Configuration.SignAuthnRequest = true;
}
It's pretty much how it's explained it should be done in the official documentation.
However, my SAML authentication works / goes through with or without this signing bit. I'm not sure whether I need to do any extra configuration on the IdP end to implement this correctly? I kind of expected it to stop working once I enabled the signing in the configuration (and until I did some extra setup in the IdP) so I guess that's what's confusing me.
Perhaps it's simply some sort of a round-trip type of a security check and no intervention / extra setup on the IdP side is needed to make the request signing work? The other option is that I misconfigured it and that's why it's working.
A bonus question - how do I ensure / validate that the signing is working?
Update: I am configuring the RP. The IdP is a Mini Orange WordPress plugin which I have access to in terms of configuring the details such as the issuer, callback url, response signing / encryption.. But I'm not allowed to do any hard modifications to the WP instance or the plugin. The client did want us to implement request signing when asked about it (as an extra layer of security) and even went the extra mile to ask Mini Orange to support it in the plugin which they supposedly did (we got an upgrade of the plugin the other day), but I'm not sure if I'm misunderstanding the protocol or they didn't really support request signing in Mini Orange even with the plugin upgrade.
Thanks!
I expect you have configured the RP (relying party) to sign the Authn Request, which is optional in the SAML 2.0 standard and only required by som IdPs (identity providers).
If your IdP do not require the Authn request to be signed, I think you should omit it.
If the IdP is implemented by the ITfoxtec Identity SAML 2.0 package. The IdP can be configured to require signed Authn Request with the same configuration saml2Configuration.SignAuthnRequest = true. Therefore, you can test the signing with a test IdP implemented using ITfoxtec Identity SAML 2.0.
Samples:
ASP.NET core RP sample: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
ASP.NET core IdP sample: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestIdPCore
Update: It looks like the Mini Orange WordPress plugin IdP can be configured with a public RP key for Authn Request signature validation in field X.509 Certificate (optional): (For Signed Request) see screenshot.
