OpenSAML user discussion

[Brent Putman <>]

On 4/28/11 11:06 AM, Gina Choi wrote:
> Thanks Paul and Scott for your response. I thought that
> signatureValidator.validate(signature) handles everything.


No, it just does the simple cryptographic validation of the signature
against the supplied key.


>  By the way, do you
> have any recommendation on dealing with trust management? For example, what
> kind of items do I need to check except expiration date?
>  


There's a pretty decent example in the wiki page on XML Signature,
illustrating the use of SAML metadata and the explicit key
metadata-based trust engine.  The TrustEngine is the abstraction in
OpenSAML that both cryptographically validates a token as well as
performs trust evaluation. (The signature ones for example internally
make use of the SignatureValidator).

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManJavaDSIG

It's the very last example on that page.

In the SAML metadata trust model that Scott refers to, you don't care
about any data in the certificate other than the public key.  The
validity (and expiration, etc) of the binding of the key to the SAML
entity is expressed by the metadata itself.  X.509/PKIX-style PKI
concepts therefore don't apply there.  That's the model that we use and
advocate predominantly in Shibboleth.  If you absolutely, positively
have to do X.509/PKIX style trust evaluation, we have code for that too.