BasicX509Credential and BasicCredential classes and then populated with the setters. But the preferred way is to use on of the many CredentialResolvers to create the credential for you.
I will now show some examples of how creating credentials using the basic classes and two different resolvers.
The Basic classes has methods like
SetPublicKey
SetSecretKey
SetEntityCertificate
SetPrivateKey
By setting this you can manually create credetials
BasicCredential credential = new BasicCredential(); credential.setPublicKey(myJCEPublicKey); credential.setPrivateKey(myJCEPrivateKey); credential.setUsageType(UsageType.SIGNING);
And now you have a credential to use with signing.
The credential resolvers can do things easier for you by helping to extract the keys from for example a java key store(JKS) or metadata.
KeyStore keystore; keystore = KeyStore.getInstance(KeyStore.getDefaultType()); FileInputStream inputStream = new FileInputStream("/path/to/my/JKS"); keystore.load(inputStream, "MyKeystorePassword".toCharArray()); inputStream.close(); Map<String, String> passwordMap = new HashMap<String, String>(); passwordMap.put("MyEntryID"), "MyEntryPassword"); KeyStoreCredentialResolver resolver = new KeyStoreCredentialResolver(keystore, passwordMap); Criteria criteria = new EntityIDCriteria("MyEntryID"); CriteriaSet criteriaSet = new CriteriaSet(criteria); X509Credential credential = (X509Credential)resolver.resolveSingle(criteriaSet);
The Meta data resolver helps to extract public credentials from meta data
First we create a meta data provider.
InputStream metaDataInputStream = new FileInputStream("path/to/meta/data"); Document metaDataDocument = ppMgr.parse(metaDataInputStream); Element metadataRoot = metaDataDocument.getDocumentElement(); metaDataInputStream.close(); DOMMetadataProvider idpMetadataProvider = new DOMMetadataProvider(metadataRoot); idpMetadataProvider.setRequireValidMetadata(true); idpMetadataProvider.setParserPool(new BasicParserPool()); idpMetadataProvider.initialize();
And then we resolve the credential
MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory(); MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(idpMetadataProvider); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIDCriteria("IPDEntityId")); X509Credential credential = (X509Credential)credentialResolver.resolveSingle(criteriaSet);
Further reading
In my book, A Guide to OpenSAML, I describe credentials, digital sigatures and other security features in OpenSAML
hi,
ReplyDeletei am using opensaml...
could you please tell me how can i create metadata xml file?
where to deploy it? and how?
Have a look here for general metadata information
Deletehttp://mylifewithjava.blogspot.com/2012/02/saml-metadata.html
I'm working on a post on how to work with metadata in OpenSAML to
http://mylifewithjava.blogspot.com/2012/02/reading-metadata-with-opensaml.html
Deletehttp://mylifewithjava.blogspot.com/2012/02/generating-metadata-with-opensaml.html
Hello,
DeleteDo you have an working example using openSAML?!
Thaks
The example worked flawlessly for getting the signing certificate out of ADFS metadata under the IdPSSODescriptor for SAML. Just in case I added some extra filtering in order to avoid getting the encryption certificate by mistake.
ReplyDeletecriteriaSet.add(new UsageCriteria(UsageType.SIGNING));
Good job, Rasmus, and you guys buy the book!
/Domènec SV
Good job Gudari, thanks for posting your solution
DeleteI posted a question regarding "signature cryptographic validation error"
Deletehttp://stackoverflow.com/questions/29355190/signature-cryptographic-validation-not-successful-opensaml
Please help.
Thanks,
Aswini J
Well, this is a bit hilarious as I am doing the same thing now in OpenSAML v3 (hint for Google searches) and found my past self explaining the solution for the previous version of OpenSAML.
DeleteTo be noted, someone told the OpenSAML guys the differences between plural and singular in ancient Greek, so the old OpenSAML
new UsageCriteria(UsageType.SIGNING)
has changed into proper ancient Ελληνικά in OpenSAML v3
new UsageCriterion(UsageType.SIGNING)
"Criterion" in English comes from the early 17th century from Greek kritērion ‘means of judging’, from kritēs (see critic). And according to all my co-workers, all this (Open)SAML sounds Greek to them :)
I posted a question regarding "signature cryptographic validation error"
ReplyDeletehttp://stackoverflow.com/questions/29355190/signature-cryptographic-validation-not-successful-opensaml
Please help.
Thanks,
Aswini J
Hi, Any working example for OpenSaml 3? BasicCredentials Class is not present in OpenSAML 3. I am migrating from OpenSaml 2 to 3, is there any information you have on the required steps or classes mapping from 2 to 3 ?
ReplyDeleteSo far I only have info on how to read credentials in V3 in my book. In the book I also have a basic migration guide with what maps where between V2 and V3
DeleteHi Stefan,
ReplyDeleteI have a problem in SpringSAML. Could you please answer this question on StackOverflow.
https://stackoverflow.com/questions/41600435/spring-saml-using-multiple-idp-certificates-from-keystore-instead-of-metadata