(VB.NET) SAML Signature Validation

See more XML Digital Signatures Examples

A SAML Signature is an XML Digital Signature (XMLDSig) just like any other XML digital signature. It can be verified by using Chilkat' XmlDSig class, as shown in this example.

Chilkat .NET Downloads Chilkat .NET Framework Chilkat for .NET Core

' This example requires the Chilkat API to have been previously unlocked.
' See Global Unlock Sample for sample code.

Dim dsig As New Chilkat.XmlDSig
Dim success As Boolean = dsig.LoadSignature("XML xml signature goes here...")

' A sample SAML signature is shown below..

Dim numSignatures As Integer = dsig.NumSignatures
Dim i As Integer = 0
While i < numSignatures
    dsig.Selector = i

    Dim bVerifyRefDigests As Boolean = False
    Dim bSignatureVerified As Boolean = dsig.VerifySignature(bVerifyRefDigests)
    If (bSignatureVerified = True) Then
        Debug.WriteLine("Signature " & (i + 1) & " verified")
    Else
        Debug.WriteLine("Signature " & (i + 1) & " invalid")
    End If


    ' Check each of the reference digests separately..
    Dim numRefDigests As Integer = dsig.NumReferences
    Dim j As Integer = 0
    While j < numRefDigests
        Dim bDigestVerified As Boolean = dsig.VerifyReferenceDigest(j)
        Debug.WriteLine("reference digest " & (j + 1) & " verified = " & bDigestVerified)
        If (bDigestVerified = False) Then
            Debug.WriteLine("    reference digest fail reason: " & dsig.RefFailReason)
        End If


        j = j + 1
    End While

    i = i + 1
End While

' --------------------------------------
' Here is a sample SAML XML Signature
' 
' 
' <?xml version="1.0" encoding="UTF-8"?>
' <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="abc123" Version="2.0" IssueInstant="2022-04-01T12:34:56Z" Destination="https://sp.example.com/sso">
'   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com</saml2:Issuer>
'   <saml2p:Status>
'     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
'   </saml2p:Status>
'   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="def456" IssueInstant="2022-04-01T12:34:56Z" Version="2.0">
'     <saml2:Issuer>https://idp.example.com</saml2:Issuer>
'     <saml2:Subject>
'       <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml2:NameID>
'     </saml2:Subject>
'     <saml2:Conditions NotBefore="2022-04-01T12:34:56Z" NotOnOrAfter="2022-04-01T13:34:56Z"/>
'     <saml2:AuthnStatement AuthnInstant="2022-04-01T12:34:56Z">
'       <saml2:AuthnContext>
'         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
'       </saml2:AuthnContext>
'     </saml2:AuthnStatement>
'     <!-- Additional assertion content -->
'   </saml2:Assertion>
'   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
'     <ds:SignedInfo>
'       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
'       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
'       <ds:Reference URI="#abc123">
'         <ds:Transforms>
'           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
'           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
'         </ds:Transforms>
'         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
'         <ds:DigestValue>q7Zj1w+...+pCsjw=</ds:DigestValue>
'       </ds:Reference>
'       <!-- Additional references if present -->
'     </ds:SignedInfo>
'     <ds:SignatureValue>
'       NjIzOWE5ZjA2M2M1...NzUwNzUwNzUwNzUwNzU=
'     </ds:SignatureValue>
'     <ds:KeyInfo>
'       <ds:X509Data>
'         <ds:X509Certificate>
'           MIIDgzCCAmugAwIBAg...AgADAA==
'         </ds:X509Certificate>
'       </ds:X509Data>
'     </ds:KeyInfo>
'   </ds:Signature>
' </saml2p:Response>