OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

________________________________________
From: Brent Putman 
[]
Sent: Friday, March 20, 2009 5:41 PM
To: 

Subject: Re: [OpenSAML] Testing SAML relying party browser post profile

Note that you *can not* simply use the key that is present in the
Signature KeyInfo.  An attacker could substitute their own key there.
You have to validate the signature using trusted information that is
obtained out-of-band, e.g. either the key itself or PKIX trust chains +
trusted name information expected to be bound in the validation cert.

One way to do that out-of-band exchange of key information is with SAML
metadata, which the Shibboleth software pretty much requires and relies
on exclusively.

[Pantvaidya, Vishwajit] Ok thanks - for now I am using the keyinfo without 
all this verification only for testing purposes. Ultimately, I expect to have 
the IdP sender's key beforehand so I will never refer it from the message.

>

Well, if TestShib won't let you do it, then you could stand up your own
IdP for testing purposes, and then you can configure it do whatever you
want.  Also, I'm not sure what attributes the TestShib IdP exposes,
probably some hardcoded things for testing.  If you want specific
attributes and/or values, again you'd probably need to stand up a test
IdP and pull whatever data you want into the attribute resolver.  It's
very flexible - generated attributes, LDAP, RDBMS, transformations of
any of the above, etc.


[Pantvaidya, Vishwajit] About sending AttributeQuery to the IdP that you 
mentioned earlier, is there any existing sample code that I could user to 
jumpstart this. I expect this will be used only when testing using TestShib. 
Finally all other saml responses that I process are expected to send specific 
attributes.