Verifying signatures with OpenSAML
As the post about signing SAML messages discussed, it is very important to properly sign and verify messages in a SAML federation.
When verifying a signature of a message it is recommended to first validate the message with a SAML profile validator. This to ensure that the signature follows the standard for XML signatures. Afterwords the cryptography validation of the signature is done by a
PS. This validation only performs a cryptographic validation of the signature. This means that it validates that the message has not been changed since it was signed. It does however not check that the certificate used for signing is trusted. To confirm the trust of the certificate in OpenSAML, a trust engine must be used in the validation.
The most common method to confirm the trust of a key is to compare it to the key received in SAML Metadata. This is generally done as a configuration step when setting up a SAML federation. This post gives more information on SAML Metadata
1SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); 2profileValidator.validate(entityDescriptor.getSignature()); 3SignatureValidator sigValidator = new SignatureValidator(cred); 4sigValidator.validate(entityDescriptor.getSignature());
SignatureValidator is instantiated with a credential. in this case the credential basically contains the public key for the private key that was used to sign the message.
The credential object can be obtained in a number of different ways. This post shows some methods in OpenSAML.
If the public key was sent in the message, it is very important to validate that you trust the key.