Verification of SAML token

Damir Dobric Posts

Next talks:



Follow me on Twitter: #ddobric




Security Assertion Markup Language well known as SAML is an XML standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.

By implementing of web service security in interoperable application, you will be almost always required to deal with SAML token. Depending on what your are going to do, there are several helpful scenarios. Most important scenarios are:

  1. Create the new (signed) token
  2. Obtain the token from STS (Security Token Service) and do verification
  3. Persist the (unchanged) token (HDD or memory)
  4. Send the (unchanged) token to some provider (i.e.: WCF service)

Following example shows how to load the token from the file and how to do verification.

private static void Main(string[] args)
XmlReader reader = XmlReader.Create("samltoken.xml");
List<SecurityToken> tokens = new List<SecurityToken>();

tokens.Add(new X509SecurityToken("certificate.crt"));
SecurityTokenResolver outOfBandTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new

<SecurityToken>(tokens), true);
SecurityToken securityToken = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, outOfBandTokenResolver);

deserializedSaml = securityToken as SamlSecurityToken;

This example first loads the SAML security token from the file. The token is any valid SAML token which can be created as shown in this post. In the second step the certificate with the public key of issuer is loaded.
Then the SAML token has to be loaded in the list of security tokens, which is then deserialized. Note that deserialization process automatically proves the validity of digital signature of the token.
The procedure of verification of the signature is not very intuitive, but it costs just few lines of code. Unfortunately in many cases you will have to deal with SAML token as subset of some XmlDocument. To illustrate this, image you have to load the token from some stream in XmlDocument. In this case it is very important to know that loading and writing of XML by using readers, writes and XmlDocument itself, mostly changes the stream containing the xml data. For example the loading of XML document does not preserve whitespaces.
However, if the document is signed, the loading procedure must not change anything. Otherwise the verification will fail. When you read or write the XML document with signed content, be sure that whitespaces are preserved as shown in following example:

private static void Main(string[] args)
XmlDocument xDoc1 = new XmlDocument();
xDoc1.PreserveWhitespace = true;

// Note that this token is added in resources as binary data.
xDoc1.Load(new MemoryStream(Resources.SbbTokenWithNULLUri));

// Adding Loading from file

. . .

xDoc2 = new XmlDocument();
xDoc2.PreserveWhitespace = true;


Posted Feb 22 2007, 07:42 PM by Damir Dobric
Filed under:


Damir Dobric Posts wrote Problem by verification of SAML token
on 02-23-2007 10:59

When the SAML token is created by using of SbbSecurityTokenSerializer as shown in this example, the WCF is a .Net Community Blog powered by daenet GmbH.