OpenSAML user discussion

["Scott Cantor" <>]

> I'm having some difficulty with signature validation. If I understand the
> code correctly, validation of the signature in a SAML response is done via
> a SignatureValidator which requires that its Credential be set. A
> Credential is obtained via a CredentialResolver.

That's the brute force technique, yes. The indirect method is with a
TrustEngine, but you have to supply a CredentialResolver there as well, it's
just usually not a file system-backed source of one credential.

> I'm attempting to create
> a CredentialResolver using the same code found in the buildSimpleResolver
> function in samlsign.cpp. In my case, the parameter that I pass in is the
> cert parameter which, I assume, is the value of the IdP's X509
> Certificate.

The file resolver has a number of alternative shortcuts along with the
formal syntax, one of which is an element (doesn't matter what) with an XML
attribute certificate="pathtocert".

> However, I'm getting an exception when I try to create the
> CredentialResolver

Ok, but you didn't say what the exception is.

> I tried adding XMLToolingConfig::getConfig().init(), but that wasn't the
> issue.

Well, it certainly is one issue, you can't possibly make it work without
that step.

> 1) Is this the proper approach?

It sort of looks like you're trying to implement SAML response processing,
in which case you don't need any of this stuff, you need to use the POST
binding MessageDecoder, a SecurityPolicy, and a TrustEngine probably based
on SAML metadata. What you're doing is far too brute force to be useful in a
SAML context, it would be a toy.

> 2) Any ideas on what am I not doing correctly in creating the
> CredentialResolver?

Not without the exception and/or logging.

-- Scott