Skip to Content.
Sympa Menu

mace-opensaml-users - Re: Classes needed for validating a saml assertion with a public key

Subject: OpenSAML user discussion

List archive

Re: Classes needed for validating a saml assertion with a public key


Chronological Thread 
  • From: "Håkon Sagehaug" <>
  • To:
  • Subject: Re: Classes needed for validating a saml assertion with a public key
  • Date: Wed, 16 Jan 2008 11:13:46 +0100
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=ICCCTReEE5/tx1Vplw8tIpoAo3KZ8iY7keGDBAEwUZO54Z0UX4mr/eNKeTemthkkb73GCF5g1ESmaH5PznZyZ2FOligaC1o+lw/Epx8FQWA3sWenWgAg9pnpazPM1W9m5q0MwvTBrItpu2cfoN6JVh0BLsU+BLvDHcDPuqfqSq4=
Hi

Good to hear. one more, is the base64 endocing value of the certificate which is in the <x509Certificate> element the same as the public key of the certificate?

cheers, HÅkon

2008/1/16, Chad La Joie <>:
Yep, that sounds right.

If the system is going to see modest load you'll probably want to create
some bit of code that reads in the certs from the directory, parses them
into their Java objects, caches them and then just occasionally sweeps
the directory for new/removed certs.  Parsing the certs is a
semi-expensive task so you don't necessarily want to be doing that every
time you get a new message.

Håkon Sagehaug wrote:
> Hi
>
> So the setup currently is this, I've got a directory on a filesystem,
> not LDAP, that contains all the host certs I trust. When the assertion
> comes in I want to first check if the public key inside the
> <ds:X509Cert> can be resolved to one of the certs in my trusted
> directory. If this clears I will see if the signature validates against
> the public key from the saml assertion. Is this setup right?
>
> cheers, Håkon
>
> 2008/1/15, Scott Cantor < <mailto:>>:
>
>      > Is this right?For now I just evaluates the credential against it
>     self for
>      > testing, which is built from the public key inside the
>     <dsX509Certificate>
>      > element in the saml assertion, it returns true so I hope this is
>     right,
>     but
>      > since it's my first time I wanted some feedback
>
>     I can't tell if you're asking this in the sense of "am I grasping
>     how the
>     classes work" or if you're asking in a business context whether
>     "this is a
>     reasonable thing to do". I always try and emphasize this, so forgive
>     me if
>     you understand this already, but...
>
>     NEVER evaluate the signing key against what's inside the message.
>     KeyInfo is
>     a hint about what was used. The trust evaluation MUST compare what
>     was used
>     against a completely separate source of trusted information. In our
>     project,
>     we believe that source should be metadata, but as a developer, you
>     can use
>     anything you feel is appropriate. As long as it's *not* the KeyInfo
>     inside
>     the message.
>
>     Again, ignore me if you know all this. But a lot of people don't,
>     and they
>     end up with worthless code.
>
>     -- Scott
>
>
>
>
>
> --
> Håkon Sagehaug
> Research Assistant
> Parallab
> Bergen Center for Computational Science (BCCS)
> UNIFOB AS (University of Bergen Research Company)

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
, http://www.switch.ch




--
Håkon Sagehaug
Research Assistant
Parallab
Bergen Center for Computational Science (BCCS)
UNIFOB AS (University of Bergen Research Company)

Archive powered by MHonArc 2.6.16.

Top of Page