OpenSAML user discussion

[Chad La Joie <>]

I wouldn't try to use the API right now.  It's in the final bit of 
refactoring and when we're finished we'll update the documentation on 
the site.

I will warn you though that it won't be as intuitive as the rest of the 
library.  We've tried to rationalize some of the insanity in the XML 
signature and encryption specs but they're pretty umm...  robust?  crazy 
complicated? and the code can't hide all of that.

Good to hear the rest of the library is intuitive though.  :)

Mike Mattozzi wrote:
> Is the PKIXX509EntityCredentialTrustEngine or the
> BasicSignatureTrustEngine functional yet? I'm a little confused about
> how to get started with trust engines and the concept of
> CredentialCriteria. Are there any examples of how to use this to
> verify a signed saml assertion?
>
> As you might guess, I'm new to opensaml and I find the api for
> marshalling and unmarshalling assertions along with walking through
> the elements of the assertion to be quite intuitive... but I'm a
> little confused about the best way to take the next step to start
> acting on the key data and Action information contained within. I'm
> assuming there's better methods than writing my own code to pull down
> public keys and use the signaturevalidator?
>
> Appreciate the help, Mike
>
> On 6/4/07, Mike Klein 
> <>
>  wrote:
> > There is wiki page for this.
> >
> > https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG
> >
> >
> >
> > Mike Mattozzi wrote:
> > > Hi,
> > >
> > > What would be the equivalent of this in OpenSAML 2.0?
> > >
> > > thanks, Mike
> > >
> > > -----Original Message-----
> > > # From: "George Stanchev" < 
> > >
> > > # To: < 
> > >
> > > # Subject: RE: Verify a SAML token
> > > # Date: Thu, 24 May 2007 14:59:54 -0700
> > > # Thread-index: AceeRDGX5egc6jTaRt6JVDpdin4gwQAAxjCQ
> > > # Thread-topic: Verify a SAML token
> > >
> > > I assume you are talking about verfiy() not validate() in 
> > OpenSAML1.1...
> > >
> > > In openSAML1.1, you have
> > > to manually pull the signature signing matherial (either
> > > public key or X509 certificate) and compare it yourself
> > > against the STS public key you have stored locally.
> > >
> > > You can use asserion.getX509Certificates() to extract
> > > the signing materials. If the signature contains a public key,
> > > it's a bit more complicated. OpenSAML1.1 uses XML-Security
> > > as underlying XML PKI engine and you can get a hold of the
> > > native object and work with it directly:
> > >
> > > Object sigObj = assertion.getNativeSignature();
> > > if (sigObj instanceof XMLSignature) {
> > > XMLSignature sig = (XMLSignature) sigObj;
> > > KeyInfo ki = sig.getKeyInfo();
> > > if (ki != null) {
> > > PublicKey pk = null;
> > > try {
> > > pk = ki.getPublicKey();
> > > } catch (KeyResolverException e) {
> > > ...
> > >
> > > Once you have the public keys, you can compare directly or
> > > walk up the certificate chain you have locally.
> > >
> > > Best Regards,
> > > George

--
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124