In the redirect case, the Sig Alg and Signature are not within the SAML response xml but come as separate parameters in the redirect.2) This library does not allow me to verify a self signed certificate. You need to canonicalize the signed info before validating the signature. Basically, since the same XML can be formatted differently, one needs to validate an XML signature in a canonical format.The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS) and/or encrypted using JSON Web Encryption (JWE). The bytes of the UTF-8 representation of the JWT Claims Set are signed in the manner described in JSON Web Signature (JWS) [JWS].The suggested pronunciation of JWT is the same as the English word "jot". The contents of the JWT Header describe the cryptographic operations applied to the JWT Claims Set.Please review these documents carefully, as they describe your rights and restrictions with respect to this document. When used in a security-related context, implementations MUST understand and support all of the claims present; otherwise, the JWT MUST be rejected for processing.
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. The JWT Claims Set represents a JSON object whose members are the claims conveyed by the JWT. Note however, that the set of claims that a JWT must contain to be considered valid is context-dependent and is outside the scope of this specification.You may download the code in this guide from https://github.com/signicat/auth.The Picket Link API provides the org.picketlink.identity.v2.assertion.Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). A JWT is represented as the concatenation of the Encoded JWT Header, the JWT Second Part, and the JWT Third Part, in that order, with the parts being separated by period ('.') characters.
Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. When signed, the three parts of the JWT are the three parts of a JWS used to represent the JWT.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. If the JWT Header is a JWS Header, the claims are signed.