OpenSAML user discussion

[Michael Kjorling <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello to all from a new subscriber.

I am working on an application which uses OpenSAML 2.3.1 to process
SAML XML input. I have got to the point that I want to validate the
authenticity of the signed Response (in this case) using the remote
party's metadata.

However, I can't seem to get it to work properly. The web site points
me down the path towards MetadataProvider, and after some looking
around, I settled for HTTPMetadataProvider, which should largely do
what I want. I have added code to determine the issuer of the response
and to map this to a metadata URL, but when I try to feed this into an
instance of HTTPMetadataProvider, what I get back is a
NullPointerException in HTTPMetadataProvider.getMetadata(),
specifically on the line "if (mdExpirationTime.isBeforeNow())". As far
as I can tell, mdExpirationTime is set only inside refreshMetadata(),
which is called from within that if() block. That clearly does not
seem quite right.

So, my question is twofold:

1. Can someone point me to a complete, working example of verifying
the signature on a Response instance using a key obtained from a known
metadata HTTP/HTTPS URL? This would be ideal.

2. Failing (1), can someone point me in the right direction for
providing metadata from some other source? I looked at subclassing
AbstractMetadataProvider and implementing getMetadata(), but couldn't
seem to get it to work. It probably doesn't really help that I am
currently more used to C#.NET than to Java. I have a function that
goes via java.net.URL#openStream(), through DocumentBuilder#parse() to
org.w3c.dom.Element and finally unmarshalls into an EntityDescriptor,
which as far as I can tell is pretty much working the way it should,
but it brought me no closer to an implementation satisfying the
AbstractMetadataProvider#getMetadata() contract.

It seems like I am probably missing something simple, particularly
with regards to the usage of HTTPMetadataProvider, but I've been
beating my head against this for a while now with little progress. So,
any insight from those more familiar with both the library and Java
would be greatly appreciated.

- -- 
Michael Kjörling .. 

 .. http://michael.kjorling.se
* ..... No bird soars too high if he soars with his own wings ..... *
* ENCRYPTED email preferred -- OpenPGP keys: 0x32D6B8C6, 0xBDE9ADA6 *
* ASCII Ribbon Campaign: Against HTML mail, proprietary attachments *

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNOEFPdY+HSb3praYRAp2WAJ99P64elIF6TAhDI1lUGiemQeK7HgCggeFV
+ZIZyQyDuLFw2Yhxnz+RGtE=
=KFs+
-----END PGP SIGNATURE-----