Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Verify a SAML token

Subject: OpenSAML user discussion

List archive

Re: Verify a SAML token


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: Verify a SAML token
  • Date: Tue, 05 Jun 2007 17:13:02 -0400
  • Organization: OIS - Middleware

I wouldn't try to use the API right now. It's in the final bit of refactoring and when we're finished we'll update the documentation on the site.

I will warn you though that it won't be as intuitive as the rest of the library. We've tried to rationalize some of the insanity in the XML signature and encryption specs but they're pretty umm... robust? crazy complicated? and the code can't hide all of that.

Good to hear the rest of the library is intuitive though. :)

Mike Mattozzi wrote:
Is the PKIXX509EntityCredentialTrustEngine or the
BasicSignatureTrustEngine functional yet? I'm a little confused about
how to get started with trust engines and the concept of
CredentialCriteria. Are there any examples of how to use this to
verify a signed saml assertion?

As you might guess, I'm new to opensaml and I find the api for
marshalling and unmarshalling assertions along with walking through
the elements of the assertion to be quite intuitive... but I'm a
little confused about the best way to take the next step to start
acting on the key data and Action information contained within. I'm
assuming there's better methods than writing my own code to pull down
public keys and use the signaturevalidator?

Appreciate the help, Mike

On 6/4/07, Mike Klein
<>
wrote:
There is wiki page for this.

https://spaces.internet2.edu/display/SHIB/OSTwoUserManJavaDSIG



Mike Mattozzi wrote:
> Hi,
>
> What would be the equivalent of this in OpenSAML 2.0?
>
> thanks, Mike
>
> -----Original Message-----
> # From: "George Stanchev" <
>
> # To: <
>
> # Subject: RE: Verify a SAML token
> # Date: Thu, 24 May 2007 14:59:54 -0700
> # Thread-index: AceeRDGX5egc6jTaRt6JVDpdin4gwQAAxjCQ
> # Thread-topic: Verify a SAML token
>
> I assume you are talking about verfiy() not validate() in OpenSAML1.1...
>
> In openSAML1.1, you have
> to manually pull the signature signing matherial (either
> public key or X509 certificate) and compare it yourself
> against the STS public key you have stored locally.
>
> You can use asserion.getX509Certificates() to extract
> the signing materials. If the signature contains a public key,
> it's a bit more complicated. OpenSAML1.1 uses XML-Security
> as underlying XML PKI engine and you can get a hold of the
> native object and work with it directly:
>
> Object sigObj = assertion.getNativeSignature();
> if (sigObj instanceof XMLSignature) {
> XMLSignature sig = (XMLSignature) sigObj;
> KeyInfo ki = sig.getKeyInfo();
> if (ki != null) {
> PublicKey pk = null;
> try {
> pk = ki.getPublicKey();
> } catch (KeyResolverException e) {
> ...
>
> Once you have the public keys, you can compare directly or
> walk up the certificate chain you have locally.
>
> Best Regards,
> George


--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124



Archive powered by MHonArc 2.6.16.

Top of Page