OpenSAML user discussion

["Scott Cantor" <>]

What you're trying to do is not really OpenSAML, it's implementing "trust",
in the most common sense of the word. There's nothing in the specs to tell
you how to do this, and the library has only minimal hooks for this kind of
thing. All the library does is help evaluate signatures based on a key, it
doesn't know what the key means to your application.

> I do not know if the following line is enough to do what I want: 
> //samlResp is a SAMLResponse, and mCertificate the root 
> certificate retrieved from the keystore. 
> samlResp.verify(mCertificate); 

I doubt it. Root certificates rarely sign assertions, unless you're talking
about self-signed keys. Usually roots validate signing certs and signing
certs are pulled from the assertion directly. Or you use self-signed keys.

> Maybe I have to do it 3 times, one for each certificate in 
> the chain. I really do not know. 
> Can anyone help me with this please? Does anyone has an 
> excerpt of code with such validation of a chain? 

As Walter said, Shibboleth contains a trust implementation. It would take me
a book to explain to you how to do all this, and it wouldn't be "right", it
would just be one opinion on it. In general, if you're not sure about how to
do this, you should seriously consider whether you know enough to build a
secure system yourself or should look at using a more packaged solution like
Shibboleth.

-- Scott