SAML does not require the use of ds: Key Info, nor does it impose any restrictions on its use.
Therefore, ds: Key Info MAY be absent." You can verify the signature if the public key has been provided to you through other means, e.g.
So currently validation fails only when response is encrypted.
In that case response is decrypted correctly in php-saml but fails on signature/digest validation.
Any idea if this something on my end or problem with php-saml toolkit ? Any modification on the SAMLResponse, even a simple extra space, will produce a "Reference validation failed".
Try to use directly the demo of this php-saml toolkit and see if you experience the same issue, if not, maybe the problem is at lavarel integration or in your environment.
SAML Test Connector (Id P w/attr): Along with all the functionality of the basic connector, this version allows for additional User Attribute Fields to be passed over in the SAML assertion than just the 'Email' field contained in the basic test connector.
The most prevalent standard for doing this, providing interoperability between many vendors’ frameworks and multiple languages, is SAML 2.0.Our initial problem is solved, but it has left me wondering why. ~tommy SAML responses do not require including the public key for that signature.Section 5.4.5 of the SAML2 spec states "XML Signature defines usage of the ds: Key Info element.However, because of this, the program can take a minute to run. I know this slowdown can be eliminated with local XSD files, it just is not feasible to do that way with the posted code.import We are building an app that is going to do SSO with Ping Federate using ruby-saml, and I am told that the Id P is emitting valid SAMLv2 responses.