OpenSAML user discussion

[Mike Klein <>]

There is wiki page for this.

https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG



Mike Mattozzi wrote:
> Hi,
>
> What would be the equivalent of this in OpenSAML 2.0?
>
> thanks, Mike
>
> -----Original Message-----
> # From: "George Stanchev" < 
> >
> # To: < 
> >
> # Subject: RE: Verify a SAML token
> # Date: Thu, 24 May 2007 14:59:54 -0700
> # Thread-index: AceeRDGX5egc6jTaRt6JVDpdin4gwQAAxjCQ
> # Thread-topic: Verify a SAML token
>
> I assume you are talking about verfiy() not validate() in OpenSAML1.1...
>
> In openSAML1.1, you have
> to manually pull the signature signing matherial (either
> public key or X509 certificate) and compare it yourself
> against the STS public key you have stored locally.
>
> You can use asserion.getX509Certificates() to extract
> the signing materials. If the signature contains a public key,
> it's a bit more complicated. OpenSAML1.1 uses XML-Security
> as underlying XML PKI engine and you can get a hold of the
> native object and work with it directly:
>
> Object sigObj = assertion.getNativeSignature();
> if (sigObj instanceof XMLSignature) {
> XMLSignature sig = (XMLSignature) sigObj;
> KeyInfo ki = sig.getKeyInfo();
> if (ki != null) {
> PublicKey pk = null;
> try {
> pk = ki.getPublicKey();
> } catch (KeyResolverException e) {
> ...
>
> Once you have the public keys, you can compare directly or
> walk up the certificate chain you have locally.
>
> Best Regards,
> George