Friday, March 18, 2011

Getting credentials in OpenSAML

For all cryptographic functions OpenSAML requires a Credential which is a basically a cryptographic key wrapped in an object. The Credential can contain either an symmetric key or an asymmetric key not both. The Credential can be created manually with
BasicX509Credential and BasicCredential classes and then populated with the setters. But the preferred way is to use on of the many CredentialResolvers to create the credential for you.
I will now show some examples of how creating credentials using the basic classes and two different resolvers.

The Basic classes has methods like
SetPublicKey
SetSecretKey
SetEntityCertificate
SetPrivateKey

By setting this you can manually create credetials

BasicCredential credential = new BasicCredential();
credential.setPublicKey(myJCEPublicKey);
credential.setPrivateKey(myJCEPrivateKey);
credential.setUsageType(UsageType.SIGNING);

And now you have a credential to use with signing.

The credential resolvers can do things easier for you by helping to extract the keys from for example a java key store(JKS) or metadata.

KeyStore keystore;
keystore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream inputStream = new FileInputStream("/path/to/my/JKS");
keystore.load(inputStream, "MyKeystorePassword".toCharArray());
inputStream.close();

Map<String, String> passwordMap = new HashMap<String, String>();
passwordMap.put("MyEntryID"), "MyEntryPassword");
KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap);

Criteria criteria = new EntityIDCriteria("MyEntryID");
CriteriaSet criteriaSet = new CriteriaSet(criteria);

X509Credential credential = (X509Credential)resolver.resolveSingle(criteriaSet); 

The Meta data resolver helps to extract public credentials from meta data

First we create a meta data provider.

InputStream metaDataInputStream = new FileInputStream("path/to/meta/data");
Document metaDataDocument = ppMgr.parse(metaDataInputStream);
Element metadataRoot = metaDataDocument.getDocumentElement();
metaDataInputStream.close();

DOMMetadataProvider idpMetadataProvider = new DOMMetadataProvider(metadataRoot);
idpMetadataProvider.setRequireValidMetadata(true);
idpMetadataProvider.setParserPool(new BasicParserPool());
idpMetadataProvider.initialize();

And then we resolve the credential

MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();

MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(idpMetadataProvider);

CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIDCriteria("IPDEntityId"));

X509Credential credential = (X509Credential)credentialResolver.resolveSingle(criteriaSet);

Further reading

In my book, A Guide to OpenSAML, I describe credentials, digital sigatures and other security features in OpenSAML
A Guide to OpenSAML V3

12 comments:

  1. hi,
    i am using opensaml...
    could you please tell me how can i create metadata xml file?
    where to deploy it? and how?

    ReplyDelete
    Replies
    1. Have a look here for general metadata information
      http://mylifewithjava.blogspot.com/2012/02/saml-metadata.html

      I'm working on a post on how to work with metadata in OpenSAML to

      Delete
    2. http://mylifewithjava.blogspot.com/2012/02/reading-metadata-with-opensaml.html

      http://mylifewithjava.blogspot.com/2012/02/generating-metadata-with-opensaml.html

      Delete
    3. Hello,

      Do you have an working example using openSAML?!
      Thaks

      Delete
  2. The example worked flawlessly for getting the signing certificate out of ADFS metadata under the IdPSSODescriptor for SAML. Just in case I added some extra filtering in order to avoid getting the encryption certificate by mistake.

    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));

    Good job, Rasmus, and you guys buy the book!
    /Domènec SV

    ReplyDelete
    Replies
    1. Good job Gudari, thanks for posting your solution

      Delete
    2. I posted a question regarding "signature cryptographic validation error"

      http://stackoverflow.com/questions/29355190/signature-cryptographic-validation-not-successful-opensaml

      Please help.

      Thanks,
      Aswini J

      Delete
    3. Well, this is a bit hilarious as I am doing the same thing now in OpenSAML v3 (hint for Google searches) and found my past self explaining the solution for the previous version of OpenSAML.

      To be noted, someone told the OpenSAML guys the differences between plural and singular in ancient Greek, so the old OpenSAML
      new UsageCriteria(UsageType.SIGNING)

      has changed into proper ancient Ελληνικά in OpenSAML v3
      new UsageCriterion(UsageType.SIGNING)

      "Criterion" in English comes from the early 17th century from Greek kritērion ‘means of judging’, from kritēs (see critic). And according to all my co-workers, all this (Open)SAML sounds Greek to them :)

      Delete
  3. I posted a question regarding "signature cryptographic validation error"

    http://stackoverflow.com/questions/29355190/signature-cryptographic-validation-not-successful-opensaml

    Please help.

    Thanks,
    Aswini J

    ReplyDelete
  4. Hi, Any working example for OpenSaml 3? BasicCredentials Class is not present in OpenSAML 3. I am migrating from OpenSaml 2 to 3, is there any information you have on the required steps or classes mapping from 2 to 3 ?

    ReplyDelete
    Replies
    1. So far I only have info on how to read credentials in V3 in my book. In the book I also have a basic migration guide with what maps where between V2 and V3

      Delete
  5. Hi Stefan,

    I have a problem in SpringSAML. Could you please answer this question on StackOverflow.
    https://stackoverflow.com/questions/41600435/spring-saml-using-multiple-idp-certificates-from-keystore-instead-of-metadata

    ReplyDelete