All geek questions in one place

How to check SAML approval statements

How to verify SAML signature statements?

for (Assertion assertion : samlResponse.getAssertions()) { try { if (assertion.getSignature() != null) { Optional<X509Certificate> x509Certificate = assertion.getSignature().getKeyInfo().getX509Datas() .stream() .findFirst() .map(x509Data -> x509Data.getX509Certificates() .stream() .findFirst() .orElse(null) ); if (x509Certificate.isPresent()) { BasicX509Credential credential = new BasicX509Credential(); credential.setEntityCertificate(KeyInfoHelper.getCertificate(x509Certificate.get())); // what pub key credential to use here? SignatureValidator validator = new SignatureValidator(credential); validator.validate(assertion.getSignature()); } } } catch (ValidationException | CertificateException e) { throw new SAMLException(e.getMessage(), e); } }

Basically, what to put in new SignatureValidator(credential)

As I understand it, a SAML statement with KeyInfo provided and an X809 certificate should at least verify ( SAML: why is the certificate in Signature? )

I also have an x509 certificate from idps metadata, which I believe should be used at all if in a statement or in a trust chain (?)

no x509 certificate,

Basically, neither the x509 certificate in the approval, nor the certificate from the idp metadata seems to work. What am I missing here?

0
source share
1 answer

It turned out that I did everything right.

When printing an xml openslaml object, you should NOT use the following code:

 public static String xmlObjectToString(XMLObject xmlObject) { try { Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(xmlObject); StringWriter sw = new StringWriter(); Element authDOM = marshaller.marshall(xmlObject); toString(sw, authDOM); return sw.toString(); } catch (Exception e) { throw new RuntimeException(e); } } private static void toString(StringWriter rspWrt, Element authDOM) throws ParserConfigurationException, TransformerException { DOMSource domSource = new DOMSource(authDOM); StreamResult result = new StreamResult(rspWrt); TransformerFactory tf = TransformerFactory.newInstance(); Transformer transformer = tf.newTransformer(); transformer.transform(domSource, result); }

The above code changes some of the internal states of the original object.

Instead, go to

 org.opensaml.xml.util.XMLHelper.prettyPrintXML(message.getDOM())
0
source

Source: https://habr.com/ru/post/950399/

More articles:


All Articles