Consider this SAML token structure.
<-Assertion>
<-Signature>
{{SIGNED INFORMATION}}
<-/Signature>
<-Subject> <-/Subject>
<-AttributeStatement>
{{ INFORMATION THAT USER CLAIMS }}
<-/AttributeStatement>
<-/Assertion>
As I know, we need to check if {{SIGNED INFORMATION}} is same as {{ INFORMATION THAT USER CLAIMS }}.
We are passing only the <-Signature> part and Credential to the
SignatureValidator.validate() method. How is it validating the AttributeStatement then?
How does it basically reference to AttributeStatement which is not passed as part of Signature?
To break it down in more everyday terms , think of the SAML token as an "official letter" of sorts that you're sending to someone. The part is like the main body of the letter. It includes the (kind of like who the letter is about), and the (basically all the important details or claims you want to communicate).
Now, when you want to make sure that no one messes with your letter after you've written it, you'd sign it, right? That's essentially what the part does. It helps verify that the letter (or in this case , the token) hasn't been tampered with.
You'd think, based on how we understand signatures , that you'd only be signing the part (the meat of the letter). But that's where it gets interesting. The part doesn't just contain the signed , but the entire itself!
When you create a SAML assertion, you are effectively signing the entire section, including the and . The resultant signed data is what is included in the section. This way , any modification to any part of the assertion would cause the validation to fail, providing a stronger security guarantee.
So, when the SignatureValidator.validate() method receives the and the credential (think of the credential as a unique pen you used for the signature that no one else has) , it isn't just validating the alone. It's actually checking the entire against the signature.
So, in layman's terms , it's not just checking that your signature is legit, it's double-checking that no one has gone and added or removed any bits from your letter after you've signed it. That way, it can tell if anyone has tried to be sneaky and mess with your stuff after you put your John Hancock on it.