Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Classes needed for validating a saml assertion with a public key

Subject: OpenSAML user discussion

List archive

Re: Classes needed for validating a saml assertion with a public key


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: Classes needed for validating a saml assertion with a public key
  • Date: Wed, 16 Jan 2008 11:05:11 +0100
  • Organization: SWITCH

Yep, that sounds right.

If the system is going to see modest load you'll probably want to create some bit of code that reads in the certs from the directory, parses them into their Java objects, caches them and then just occasionally sweeps the directory for new/removed certs. Parsing the certs is a semi-expensive task so you don't necessarily want to be doing that every time you get a new message.

Håkon Sagehaug wrote:
Hi

So the setup currently is this, I've got a directory on a filesystem, not LDAP, that contains all the host certs I trust. When the assertion comes in I want to first check if the public key inside the <ds:X509Cert> can be resolved to one of the certs in my trusted directory. If this clears I will see if the signature validates against the public key from the saml assertion. Is this setup right?

cheers, Håkon

2008/1/15, Scott Cantor
<

<mailto:>>:

> Is this right?For now I just evaluates the credential against it
self for
> testing, which is built from the public key inside the
<dsX509Certificate>
> element in the saml assertion, it returns true so I hope this is
right,
but
> since it's my first time I wanted some feedback

I can't tell if you're asking this in the sense of "am I grasping
how the
classes work" or if you're asking in a business context whether
"this is a
reasonable thing to do". I always try and emphasize this, so forgive
me if
you understand this already, but...

NEVER evaluate the signing key against what's inside the message.
KeyInfo is
a hint about what was used. The trust evaluation MUST compare what
was used
against a completely separate source of trusted information. In our
project,
we believe that source should be metadata, but as a developer, you
can use
anything you feel is appropriate. As long as it's *not* the KeyInfo
inside
the message.

Again, ignore me if you know all this. But a lot of people don't,
and they
end up with worthless code.

-- Scott





--
Håkon Sagehaug
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page