Skip to Content.
Sympa Menu

mace-opensaml-users - RE: Verify a SAML token

Subject: OpenSAML user discussion

List archive

RE: Verify a SAML token


Chronological Thread 
  • From: "George Stanchev" <>
  • To: <>
  • Subject: RE: Verify a SAML token
  • Date: Thu, 24 May 2007 14:59:54 -0700

I assume you are talking about verfiy() not validate() in OpenSAML1.1...

In openSAML1.1, you have
to manually pull the signature signing matherial (either
public key or X509 certificate) and compare it yourself
against the STS public key you have stored locally.

You can use asserion.getX509Certificates() to extract
the signing materials. If the signature contains a public key,
it's a bit more complicated. OpenSAML1.1 uses XML-Security
as underlying XML PKI engine and you can get a hold of the
native object and work with it directly:

Object sigObj = assertion.getNativeSignature();
if (sigObj instanceof XMLSignature) {
XMLSignature sig = (XMLSignature) sigObj;
KeyInfo ki = sig.getKeyInfo();
if (ki != null) {
PublicKey pk = null;
try {
pk = ki.getPublicKey();
} catch (KeyResolverException e) {
...

Once you have the public keys, you can compare directly or
walk up the certificate chain you have locally.

Best Regards,
George

-----Original Message-----
From: Tom Dinkelaker
[mailto:]

Sent: Thursday, May 24, 2007 2:43 PM
To:

Subject: Verify a SAML token

Hi,

I would like to check a SAML token with OpenSAML.
I assume that the token complies with the SAML specs and so I have to
check the signatures of the STS and so on.

I there a convenient way to use OpenSAML to verify the SAML token.
SAMLAssertion.validate() seems only to check XML characteristics.
Do you know a tutroial?

Thank you
Yours, Tom Dinkelaker

**********************************************************************
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
Any unauthorized review, use, disclosure or distribution is prohibited. If
you are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.
**********************************************************************




Archive powered by MHonArc 2.6.16.

Top of Page