OpenSAML user discussion

["George Stanchev" <>]

I assume you are talking about verfiy() not validate() in OpenSAML1.1...

In openSAML1.1, you have
to manually pull the signature signing matherial (either
public key or X509 certificate) and compare it yourself
against the STS public key you have stored locally.

You can use asserion.getX509Certificates() to extract
the signing materials. If the signature contains a public key,
it's a bit more complicated. OpenSAML1.1 uses XML-Security
as underlying XML PKI engine and you can get a hold of the 
native object and work with it directly:

Object sigObj = assertion.getNativeSignature();
if (sigObj instanceof XMLSignature) {
  XMLSignature sig = (XMLSignature) sigObj;
     KeyInfo ki = sig.getKeyInfo();
     if (ki != null) {
       PublicKey pk = null;
       try {
          pk = ki.getPublicKey();
       } catch (KeyResolverException e) {
...

Once you have the public keys, you can compare directly or
walk up the certificate chain you have locally.

Best Regards,
George

-----Original Message-----
From: Tom Dinkelaker 
[mailto:]
 
Sent: Thursday, May 24, 2007 2:43 PM
To: 

Subject: Verify a SAML token

Hi,

I would like to check a SAML token with OpenSAML.
I assume that the token complies with the SAML specs and so I have to
check the signatures of the STS and so on.

I there a convenient way to use OpenSAML to verify the SAML token.
SAMLAssertion.validate() seems only to check XML characteristics.
Do you know a tutroial?

Thank you
Yours, Tom Dinkelaker

**********************************************************************
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
Any unauthorized review, use, disclosure or distribution is prohibited. If 
you are not the intended recipient, please contact the sender by reply e-mail 
and destroy all copies of the original message. 
**********************************************************************