Skip to Content.
Sympa Menu

mace-opensaml-users - [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field

Subject: OpenSAML user discussion

List archive

[OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field


Chronological Thread 
  • From: Enrique Sabatel <>
  • To:
  • Subject: [OpenSAML] Holder-Of-Key method: what is and how to generate Ciphervalue field
  • Date: Mon, 14 Feb 2011 13:17:58 +0100
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=XKGzfGSaORELFqAuD8Q41m0a4BGGHBj6/76Mi7JmnuAc8uTmQvXWCbeTkUwu/XNyjl m3xFkbC45Tjy4yUemfdYCJCfHRyiuwmfYy6QZSzh2qCFm3Kr66C0MbIkqC1qL0atKdPX tWOLqp0dGBUdP8xcPG4vIswKsJygVR/OdkwzI=

I am trying to use opensaml libraries to generate a valid SAML 2.0 token for testing purposes in a web service client without using a STS. I think i have generated most of it so it can be a valid assertion for the service (for testing purposes obviously).

But there is something left in SubjectConfirmation...

What does <xenc:CipherValue> field contains exactly and how can it be generated within my client??

I understand that an ephemeral key must be generated between client and STS (in my scenario, it should be generated in the client) and then encrypted with recipient's public cert, is this correct? And.. is this what CipherValue contains??

Any help would be much appreciated.

My Subject part should be as follows..

<saml:Subject><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml:SubjectConfirmationData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" NotBefore="2010-12-20T12:35:37.549Z" NotOnOrAfter="2010-12-20T12:40:37.549Z" xsi:type="saml:KeyInfoConfirmationDataType"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EncKeyId-4A787BE16A9F37BE9712928485377682"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /><ds:KeyInfo>
<wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">EPlMdE3oRiNlo8bGg3BLR3uGWT8=</wsse:KeyIdentifier></wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Apg/J/PFyBD9ozCTWwTT1UeU4u8Lyyn2B0YausGFq+2lG7O2ZaPfesra1srrDMUHALZ74ykWlj9/Dss3+REp4DIsMQ65xQOOeokitd3/H8WxjZxDrM6DGZyv0hpdgQugrXyqOTAZ4zZHhxHhhTX4hogXr9CK9qd14xrTeIaap7o=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject>



Archive powered by MHonArc 2.6.16.

Top of Page