Verify EntraID SAML Assertions (C equivalent of the --attr:ID parameter in xmlsec1)

[matteoprinetti]

HI all, I spent quite a bit of time on this problem - how to verify the SAML Response I get from EntraID in C.

The answer was to specify which XML Element has the ID that xmlsec needs to verify the document:

  xmlNodePtr nodeAssertion = xmlSecFindNode(xmlDocGetRootElement(doc), "Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");

   xmlAttrPtr attr = nodeAssertion->properties;

   xmlChar *id = xmlNodeListGetString(nodeAssertion->doc, attr->children, 1);
   if (id == NULL)
   {
       return (0);
   }
   xmlAttrPtr  tmpAttr = xmlGetID(nodeAssertion->doc, id);
   if (tmpAttr == NULL)
   {
       xmlAddID(NULL, nodeAssertion->doc, id, attr);
   } 

This goes just before the call to xmlSecDSigCtxVerify (if you use verify4.c from the example library).
Hope this helps other with the same problem....

[lsh123]

Thanks, sounds like this is the same as section 3.2 in the FAQ :)

https://www.aleksey.com/xmlsec/faq.html

[matteoprinetti]

Yes of course :-) I guessed SAML Response Verifying is a quite common Task and I did not find a clear solution in the net so maybe people can save some time knowing it can be done and how it is done .

…

On Thu, 10 Apr 2025 at 17:28, lsh123 ***@***.***> wrote: Thanks, sounds like this is the same as section 3.2 in the FAQ :) https://www.aleksey.com/xmlsec/faq.html — Reply to this email directly, view it on GitHub <#902 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AN2WGP4HVKBBJ6YUC22VSU32Y2E2HAVCNFSM6AAAAAB23FHHQGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTENZZGMZTIMI> . You are receiving this because you authored the thread.Message ID: ***@***.***>