Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] Testing SAML relying party browser post profile

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] Testing SAML relying party browser post profile


Chronological Thread 
  • From: "Pantvaidya, Vishwajit" <>
  • To: "" <>
  • Subject: RE: [OpenSAML] Testing SAML relying party browser post profile
  • Date: Fri, 20 Mar 2009 20:47:01 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

________________________________________
From: Brent Putman
[]
Sent: Friday, March 20, 2009 5:41 PM
To:

Subject: Re: [OpenSAML] Testing SAML relying party browser post profile

Note that you *can not* simply use the key that is present in the
Signature KeyInfo. An attacker could substitute their own key there.
You have to validate the signature using trusted information that is
obtained out-of-band, e.g. either the key itself or PKIX trust chains +
trusted name information expected to be bound in the validation cert.

One way to do that out-of-band exchange of key information is with SAML
metadata, which the Shibboleth software pretty much requires and relies
on exclusively.

[Pantvaidya, Vishwajit] Ok thanks - for now I am using the keyinfo without
all this verification only for testing purposes. Ultimately, I expect to have
the IdP sender's key beforehand so I will never refer it from the message.

>

Well, if TestShib won't let you do it, then you could stand up your own
IdP for testing purposes, and then you can configure it do whatever you
want. Also, I'm not sure what attributes the TestShib IdP exposes,
probably some hardcoded things for testing. If you want specific
attributes and/or values, again you'd probably need to stand up a test
IdP and pull whatever data you want into the attribute resolver. It's
very flexible - generated attributes, LDAP, RDBMS, transformations of
any of the above, etc.


[Pantvaidya, Vishwajit] About sending AttributeQuery to the IdP that you
mentioned earlier, is there any existing sample code that I could user to
jumpstart this. I expect this will be used only when testing using TestShib.
Finally all other saml responses that I process are expected to send specific
attributes.


Archive powered by MHonArc 2.6.16.

Top of Page