Authentication request signature
- MPASSid SAML 2.0 profile require that authentication message is signed.
Requirements
- A certificate that is used to sign authentication requests is defined in service SAML metadata.
- Service is configured to sign authentication requests with the certificate.
How to verify that SAML authentication request is signed
- SAML authentication request in MPASSid use HTTP-Redirect binding. Redirect url must have SigAlg and Signature parameters.
Example: SAML Authentication Request with Signature
https://mpass-proxy.csc.fi/idp/profile/SAML2/Redirect/SSO? SAMLRequest=fZFBU8IwEIX ... 9X5t8%3D &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 &Signature=eSCb2S5ZnaBPezmxbF ... XolL730PRRhPKNfv8%3D