How to validate signature in SAML Response from Okta to SP? Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0t5iak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Anshu KunalAnshu Kunal 

How to validate signature in SAML Response from Okta to SP?

How to validate signature in SAML Response from Okta to SP? Do we need validate signature using the idp certificate?
Best Answer chosen by Niki (Okta, Inc.) 
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Anshu
Yes, you need the IdP's certificate.
Are you writing your own SP? Most SPs or SAML libraries come with functionality to do this, and I strongly suggest using one because it can be tricky to get it right yourself.

Thanks.

All Answers

Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Anshu
Yes, you need the IdP's certificate.
Are you writing your own SP? Most SPs or SAML libraries come with functionality to do this, and I strongly suggest using one because it can be tricky to get it right yourself.

Thanks.
This was selected as the best answer
Anshu KunalAnshu Kunal
We are using Guidewire as SP. 
For validation of signature it is expecting idp's public and private key.
How do we get both idp's keys? Is this avalible in the idp's certificate?

BasicCredential basic = new BasicCredential()
basic.setPublicKey(publicKey)
basic.setPrivateKey(privateKey)
var sigValidator = new SignatureValidator(basic)
 
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Anshu
A private key belongs to the entity that created it and no one else (that's why it's "private"). The public key, on the other hand, can be shared with anyone. So, Okta's private is internal to Okta, no one else can see it.
Furthermore, to verify a signature only requires a public key (not a private key).
Can you post URLs for Guidewire and/or the code you listed above?