Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Testing SAML relying party browser post profile

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Testing SAML relying party browser post profile


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [OpenSAML] Testing SAML relying party browser post profile
  • Date: Fri, 20 Mar 2009 20:41:01 -0400



Pantvaidya, Vishwajit wrote:
>
>
>
> [Pantvaidya, Vishwajit] Ok thanks. I changed my code to do that. Now as I
> understand, a key in base64binary format should be wrapped in the
> "----BEGIN KEY-----" "--------END KEY-------" signature. The saml I get has
> the key as:
>
>
> How do I load it? Right now I am manually adding the begin key, end key
> wrappers and the signature validation works fine.
>

There are a couple examples of signature verification here:

https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG

There are various helper methods in KeyInfoHelper and SecurityHelper for
translating between representations of keys and the Credential object
used as a key wrapper class in the OpenSAML API.

Note that you *can not* simply use the key that is present in the
Signature KeyInfo. An attacker could substitute their own key there.
You have to validate the signature using trusted information that is
obtained out-of-band, e.g. either the key itself or PKIX trust chains +
trusted name information expected to be bound in the validation cert.

One way to do that out-of-band exchange of key information is with SAML
metadata, which the Shibboleth software pretty much requires and relies
on exclusively.


>
> [Pantvaidya, Vishwajit] Ok thanks. If the request is https, this should be
> fine right?
Well, even if browser communication with both the IdP and SP is https,
it's still unencrypted in the browser, and might be left lying around in
browser cache or history. Many consider that undesirable, some do not.
We leave it up to the deployer in Shibboleth to decide, but default to
it not being fine.


> Anyway, if tesshib does not do it, I would need to figure out another way
> of doing it.
>

Well, if TestShib won't let you do it, then you could stand up your own
IdP for testing purposes, and then you can configure it do whatever you
want. Also, I'm not sure what attributes the TestShib IdP exposes,
probably some hardcoded things for testing. If you want specific
attributes and/or values, again you'd probably need to stand up a test
IdP and pull whatever data you want into the attribute resolver. It's
very flexible - generated attributes, LDAP, RDBMS, transformations of
any of the above, etc.




Archive powered by MHonArc 2.6.16.

Top of Page