OpenSAML user discussion

[Deena Gurajala <>]

I did come across this kind of usage, but on IDP side. The redirect biding does not specify how to identify the key name used to verify the digital signature. Also the signature must not be in the SAML request (POST is allowed to have signature in side the XML).

What I did was I extended the class used to send Redirect Response and overwrite the method and add your parameter. In my case I overwrite buildRedirectURL() method. My extended class looks like below. I think it is same for request or response. I think you can use this code.

public class RedirectEncoder extends HTTPRedirectDeflateEncoder {

    private static final Logger logger=Logger.getLogger(RedirectEncoder.class);
    
    private String keyname;
    
    public RedirectEncoder(String keyName){
        super();
        this.keyname=keyName;    
    }
    
    public RedirectEncoder(){
        super();
    }
    /**
     * Builds the URL to redirect the client to.
     * 
     * @param messagesContext current message context
     * @param endpointURL endpoint URL to send encoded message to
     * @param message Deflated and Base64 encoded message
     * 
     * @return URL to redirect client to
     * 
     * @throws MessageEncodingException thrown if the SAML message is neither a RequestAbstractType or Response
     */
    @SuppressWarnings("unchecked")
    protected String buildRedirectURL(SAMLMessageContext messagesContext, String endpointURL, String message)
            throws MessageEncodingException {
        logger.debug("Building URL to redirect client to");
        URLBuilder urlBuilder = new URLBuilder(endpointURL);

        List<Pair<String, String>> queryParams = urlBuilder.getQueryParams();
        queryParams.clear();

        if (messagesContext.getOutboundSAMLMessage() instanceof RequestAbstractType) {
            queryParams.add(new Pair<String, String>("SAMLRequest", message));
        } else if (messagesContext.getOutboundSAMLMessage() instanceof StatusResponseType) {
            queryParams.add(new Pair<String, String>("SAMLResponse", message));
        } else {
            throw new MessageEncodingException(
                    "SAML message is neither a SAML RequestAbstractType or StatusResponseType");
        }

        String relayState = messagesContext.getRelayState();
        if (checkRelayState(relayState)) {
            queryParams.add(new Pair<String, String>("RelayState", relayState));
        }

        Credential signingCredential = messagesContext.getOuboundSAMLMessageSigningCredential();
        if (signingCredential != null) {
            String sigAlgURI = getSignatureAlgorithmURI(signingCredential, null);
            Pair<String, String> sigAlg = new Pair<String, String>("SigAlg", sigAlgURI);
            queryParams.add(sigAlg);
            String sigMaterial = urlBuilder.buildQueryString();

            queryParams.add(new Pair<String, String>("Signature", generateSignature(signingCredential, sigAlgURI,
                    sigMaterial)));
        }
        queryParams.add(new Pair<String, String>("KeyName", keyname));
        
        String queryString=urlBuilder.buildURL();
        if(logger.isDebugEnabled()){
            logger.debug("Query String ==>"+queryString);
        }
        
        return queryString;
    }
}

On Mon, Mar 21, 2011 at 10:33 AM, rangeli nepal <> wrote:

I thought specification is mute about it. It just talks about
essential query parameters and some extent ordering. It does not talk
about extra query parameter.
rn

On Mon, Mar 21, 2011 at 1:25 PM, Cantor, Scott E. <> wrote:
> On 3/21/11 1:17 PM, "rangeli nepal" <> wrote:
>>Now I like to send an extra query parameter using this binding. I
>>thought if I just change the endpoint location i.e
>
> That is not a legal use of the Redirect Binding.
>
> -- Scott
>
>