(Objective-C) SAML Signature Validation

See more XML Digital Signatures Examples

A SAML Signature is an XML Digital Signature (XMLDSig) just like any other XML digital signature. It can be verified by using Chilkat' XmlDSig class, as shown in this example.

Chilkat Objective-C Library Downloads MAC OS X (Cocoa) Libs iOS Libs

#import <CkoXmlDSig.h>

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

CkoXmlDSig *dsig = [[CkoXmlDSig alloc] init];
BOOL success = [dsig LoadSignature: @"XML xml signature goes here..."];

// A sample SAML signature is shown below..

int numSignatures = [dsig.NumSignatures intValue];
int i = 0;
while (i < numSignatures) {
    dsig.Selector = [NSNumber numberWithInt: i];

    BOOL bVerifyRefDigests = NO;
    BOOL bSignatureVerified = [dsig VerifySignature: bVerifyRefDigests];
    if (bSignatureVerified == YES) {
        NSLog(@"%@%d%@",@"Signature ",i + 1,@" verified");
    }
    else {
        NSLog(@"%@%d%@",@"Signature ",i + 1,@" invalid");
    }

    // Check each of the reference digests separately..
    int numRefDigests = [dsig.NumReferences intValue];
    int j = 0;
    while (j < numRefDigests) {
        BOOL bDigestVerified = [dsig VerifyReferenceDigest: [NSNumber numberWithInt: j]];
        NSLog(@"%@%d%@%d",@"reference digest ",j + 1,@" verified = ",bDigestVerified);
        if (bDigestVerified == NO) {
            NSLog(@"%@%d",@"    reference digest fail reason: ",[dsig.RefFailReason intValue]);
        }

        j = j + 1;
    }

    i = i + 1;
}

// --------------------------------------
// Here is a sample SAML XML Signature
// 
// 
// <?xml version="1.0" encoding="UTF-8"?>
// <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="abc123" Version="2.0" IssueInstant="2022-04-01T12:34:56Z" Destination="https://sp.example.com/sso">
//   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com</saml2:Issuer>
//   <saml2p:Status>
//     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
//   </saml2p:Status>
//   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="def456" IssueInstant="2022-04-01T12:34:56Z" Version="2.0">
//     <saml2:Issuer>https://idp.example.com</saml2:Issuer>
//     <saml2:Subject>
//       <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml2:NameID>
//     </saml2:Subject>
//     <saml2:Conditions NotBefore="2022-04-01T12:34:56Z" NotOnOrAfter="2022-04-01T13:34:56Z"/>
//     <saml2:AuthnStatement AuthnInstant="2022-04-01T12:34:56Z">
//       <saml2:AuthnContext>
//         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
//       </saml2:AuthnContext>
//     </saml2:AuthnStatement>
//     <!-- Additional assertion content -->
//   </saml2:Assertion>
//   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
//     <ds:SignedInfo>
//       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
//       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
//       <ds:Reference URI="#abc123">
//         <ds:Transforms>
//           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
//           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
//         </ds:Transforms>
//         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
//         <ds:DigestValue>q7Zj1w+...+pCsjw=</ds:DigestValue>
//       </ds:Reference>
//       <!-- Additional references if present -->
//     </ds:SignedInfo>
//     <ds:SignatureValue>
//       NjIzOWE5ZjA2M2M1...NzUwNzUwNzUwNzUwNzU=
//     </ds:SignatureValue>
//     <ds:KeyInfo>
//       <ds:X509Data>
//         <ds:X509Certificate>
//           MIIDgzCCAmugAwIBAg...AgADAA==
//         </ds:X509Certificate>
//       </ds:X509Data>
//     </ds:KeyInfo>
//   </ds:Signature>
// </saml2p:Response>