SAML PDP Response XML-Signature Verification


A SAML assertion contains identity information about an end-user. Depending on its type, the assertion can convey proof of an authentication event, details of user attributes, or authorization information about the end-user. Typically such assertions are issued by a SAML PDP (Policy Decision Point) after a client authenticates to it or requests access to a specified resource.

Clients use the SAML Protocol (SAMLP) to obtain SAML assertions from SAML PDPs. The SAMLP request usually contains identity information about the end-user. The PDP then uses this information when generating the assertion, which is then returned in a SAMLP response.

The PDP will usually sign the assertion and/or the SAMLP response as proof that only it could have issued the assertion/response, and also to guarantee the integrity of the assertion. When the API Gateway receives the SAMLP response from the PDP, it can validate the signature on the assertion or on the response.


Configure the following fields to validate the XML Signature over the SAMLP response:

Signature Location:

Because there may be multiple signatures contained within the SAMLP response, it is necessary to specify which signature the API Gateway should validate. The signature can be extracted from one of three places:

  • From the SOAP header

  • Using WS-Security Actors

  • Using XPath

Select the appropriate option from the dropdown. Take a look at the Signature Location tutorial for more information on configuring this section.

What Must Be Signed:

This section defines the content that must be signed in order for the signature on the SAMLP response to be considered valid. This ensures that the client has signed something meaningful (i.e. part of the SAMLP response) as opposed to some arbitrary data that would pass a "blind" signature validation.

An XPath expression is used to identify the nodeset that should be signed. To specify that nodeset, select either an existing XPath expression from the XPath Expression dropdown list, or add a new one using the Add button. XPath expressions can also be edited or removed with the Edit and Delete buttons respectively.

Signer's Public Key/Certificate

Select the Certificate in Message radio button in order to use the certificate from the XML-Signature specified in the Signature Location section. The certificate will be extracted from the <KeyInfo> block.

<dsig:Signature xmlns:dsig="" id="Sample">
      <dsig:X509SubjectName>CN=Sample User...</dsig:X509SubjectName>
        MIIE ....... EQgJ

Clients may not always want to include their public keys in their signatures. In such cases, the public key must be retrieved from a certificate stored either in a specified LDAP directory or in the the API Gateway's global Certificate Store.

For example, the following signed XML message does not include the signatory's certificate. Instead only the Common Name of the signatory's certificate is included. In this case, the API Gateway must obtain the certificate from an LDAP directory or the Certificate Store to validate the signature on the assertion.

<?xml version="1.0" encoding="UTF-8"?>
 <soap-env:Envelope xmlns:soap-env="">
   <dsig:Signature xmlns:dsig="" id="User">
      <dsig:Reference URI="">
       <dsig:Transform Algorithm="">
       <dsig:Transform Algorithm=""/>
      <dsig:DigestMethod Algorithm=""/>
       CN=User,OU=R&D,O=Company Ltd.,L=Dublin 4,ST=Dublin,C=IE
  <ns1:getTime xmlns:ns1="urn:timeservice">

To retrieve a client certificate from an LDAP directory, select a pre-configured one from the LDAP Source dropdown, or add/edit a new/existing LDAP directory by clicking the Add/Edit button.

Alternatively, select a certificate from the Certificate Store by selecting the Certificate in Store radio button and clicking on the Select button. This certificate will then be associated with the incoming message so that all subsequent certificate-based filters will use this user's certificate.