The only difference between the two version is that the SignatureValidator is no longer instantiated. Instead the validate method of SignatureValidator is now static and takes both the credentials and the signature object.
Below is the code for verifying signatures in OpenSAML V3
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); profileValidator.validate(assertion.getSignature()); SignatureValidator.validate(assertion.getSignature(), cred);
Hello Stefan,
ReplyDeleteI'm having trouble with this part.
I'm currently using OpenSAML V3, I purchased your book and try to follow step by step with the sample project as a guide.
In the 4th step, I recive the response and try to validate it, in order to do it I need the IDP credentials.
In the sample project you create a keypair and put it in a Credential object that you use later in SignatureValidator.validate(assertion.getSignature(), cred);
In real life, I have a Certificate file "example.cer" and have to somehow create a Credential object to use it in the validation.
I can´t find a way to do it, I tried puting the certificate in a .jks but when you use the KeyStoreCredentialResolver you need a passwordMap, it has none because truststores by definition are a keystore without private keys, so you get "java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected".
I also tried not using keystores:
Credential getCredencialIDP() throws CertificateException{
Credential credential = null;
try {
InputStream in = new FileInputStream("/example.cer");
CertificateFactory factory = CertificateFactory.getInstance("X.509");
Certificate cert = factory.generateCertificate(in);
credential.setPublicKey(cert.getPublicKey());
} catch (FileNotFoundException ex) {
java.util.logging.Logger.getLogger(acs.class.getName()).log(Level.SEVERE, null, ex);
}
return credential;
}
But then you have a problem casting it, you can't cast a BasicX509Credential to a Credential.
Thank you in advance,
Francisco Perdomo
Let me correct the code I sent you, it was actually:
DeleteBasicX509Credential getCredencialIDP() throws CertificateException{
BasicX509Credential credential = null;
try {
InputStream in = new FileInputStream("/example.cer");
CertificateFactory factory = CertificateFactory.getInstance("X.509");
Certificate cert = factory.generateCertificate(in);
credential.setPublicKey(cert.getPublicKey());
} catch (FileNotFoundException ex) {
java.util.logging.Logger.getLogger(acs.class.getName()).log(Level.SEVERE, null, ex);
}
return credential;
}
I also have a third failed attempt using Metadata:
private Credential getCredencialIDP(){
try {
FilesystemMetadataResolver idpMetadataResolver = new FilesystemMetadataResolver(new File("C:\\idpTest2.xml"));
idpMetadataResolver.setRequireValidMetadata(true);
idpMetadataResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
idpMetadataResolver.setId("https://test-eid.portal.gub.uy/v1.1/idp");
idpMetadataResolver.initialize();
//KeyInfoCredentialResolver keyResolver = DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver();
MetadataCredentialResolver credentialResolver = new MetadataCredentialResolver();
credentialResolver.setRoleDescriptorResolver(new BasicRoleDescriptorResolver(idpMetadataResolver));
//credentialResolver.setKeyInfoCredentialResolver(keyResolver);
credentialResolver.initialize();
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion("https://test-eid.portal.gub.uy/idp"));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
Credential credential = credentialResolver.resolveSingle(criteriaSet);
return credential;
}catch (ComponentInitializationException ex) {
java.util.logging.Logger.getLogger(acs.class.getName()).log(Level.SEVERE, null, ex);
} catch (ResolverException ex) {
java.util.logging.Logger.getLogger(acs.class.getName()).log(Level.SEVERE, null, ex);
}
return null;
}
And I found the following problems with it:
- if you run the code as is, you get "A KeyInfoCredentialResolver instance is required"
- if I uncomment the KeyInfoCredentialResolver part I get the following:
net.shibboleth.utilities.java.support.component.UninitializedComponentException: Component 'bfdd2fdf-4dab-42ed-ae55-1fa932edf088' has not yet been initialized and cannot be used.
at net.shibboleth.utilities.java.support.component.ComponentSupport.ifNotInitializedThrowUninitializedComponentException(ComponentSupport.java:106)
at org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver.resolve(BasicRoleDescriptorResolver.java:111)
at org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver.resolve(BasicRoleDescriptorResolver.java:56)
at org.opensaml.saml.security.impl.MetadataCredentialResolver.getRoleDescriptors(MetadataCredentialResolver.java:445)
at org.opensaml.saml.security.impl.MetadataCredentialResolver.resolveFromMetadata(MetadataCredentialResolver.java:290)
at org.opensaml.saml.security.impl.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:214)
at org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:62)
at org.opensaml.security.credential.impl.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:36)
Most of the code for the Metadata approach was from this page:
http://stackoverflow.com/questions/42348805/creating-credential-object-from-idp-metadata-with-opensaml-v3
But I haven´t been able to fix it and make it work, the instantiation of the keyinfocredentialresolver was from some forum, I don't have much idea of how it really works.
Have a look at org.opensaml.security.credential.CredentialSupport. The method getSimpleCredential takes a X509Cert and gives you a BasicX509Credential back. Hope it helps
DeleteThere are two problems with that:
Delete1) The getSimpleCredential also takes a PrivateKey that you shouldn't have, to validate a signature you only require the certificate of the IDP (I'm validating the response from the IDP).
2) The problem is that when I do :
SignatureValidator.validate(assertion.getSignature(),credential);
credential is required to be of the class Credential, not a BasicX509Credential, and as far as I know you can´t cast from one to the other.
This is the error you get:
org.opensaml.xml.security.x509.BasicX509Credential cannot be cast to org.opensaml.security.credential.Credential
So how could I get an object "Credential" from the .cer file or the Metadata? Or if there is no way, how could I cast from BasicX509Credential to Credential?
1. Private key is optional
Delete2. the BasicX509Credential returned from Credential support is org.opensaml.security.x509.BasicX509Credential and not org.opensaml.xml.security.x509.BasicX509Credential. The class actually returned implements org.opensaml.security.credential.Credential and can be casted
That corrections where what I needed, the Uruguayan governmental electronic identification team thanks you for your quick response and good disposition!
DeleteWe will probably keep contacting you in the future if something comes up.
Happy to hear and please do =)
DeleteHi Fran or Stefan,
Deletecan you please elaborate a bit more on how you solved the issue? I tried getting the certificate from the xml the way Fran described, but I got the same errors. Alternatively, I tried to get through the EntityDescriptor, but I get a xmlsec X509 certificate that I'm not able to convert into a credential to test.
Hey, there were 2 things I had to consider,
Delete1. I didn't need the private key in the method
2. As Stefan answered me a few comments ago, the BasicX509Credential returned from Credential support is org.opensaml.security.x509.BasicX509Credential and not org.opensaml.xml.security.x509.BasicX509Credential which can be recasted.
I have a gitrepo as an example if you want to check it out: https://github.com/agesic-eid/MaquetaSSOSAML
Good luck! If you have questions over the examplecode feel free to ask
Hi Fran,
DeleteThat worked for the certificate file. Any luck with the metadata?
Thanks,
Luiz
Hey Luiz,
DeleteThe metadata was a way that I didn't take nor investigated after it was solved with the other method. Maybe if you have a more specific question I could have an idea and help you solve it.
To be honest I don't have much experience with metadata aplications but I would be happy to try to help!
This comment has been removed by the author.
ReplyDeleteHi Stefan, i integrated saml with my web application . My query is how to get the assertion from SAML after authentication.
ReplyDeleteI have one more external application which is invoked internally from my first web application. I want to retrieve the SAML assertion.
After the authentication you web app receives a Response XML object which contains the Assertion. If you are using OpenSAML, you parse it using the unmarshaller and use the getter methods to get the assertion. It should go something like this. getResponse().getAssertions()
DeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteWhen I am trying to configure Remote Service provider in openam, I am getting this error:
ReplyDeleteERROR: An error occurred while importing the SAML metadata
com.sun.identity.saml2.meta.SAML2MetaException: Unable to verify signature under element "EntityDescriptor".
at com.sun.identity.saml2.meta.SAML2MetaSecurityUtils.verifySignature(SAML2MetaSecurityUtils.java:348)
at com.sun.identity.saml2.meta.SAML2MetaUtils.preProcessSAML2Document(SAML2MetaUtils.java:680)
at com.sun.identity.saml2.meta.SAML2MetaUtils.importSAML2Document(SAML2MetaUtils.java:657)
at com.sun.identity.workflow.ImportSAML2MetaData.importSAML2MetaData(ImportSAML2MetaData.java:118)
The signing certificate etc are imported in openam keystore and are valid ones, not sure what is why openam is throwing error while configure Remote SP. ALl was fine with opensaml2, issue is with opensaml3.
Any help would be appreciated.
Ok, have you checked if there is any difference between the metadata produced from v2 and v3?
ReplyDeleteIf you .initialize() that inlined new BasicRoleDescriptorResolver(idpMetadataResolver) you'll get rid of that net.shibboleth.utilities.java.support.component.UninitializedComponentException: Component 'bfdd2fdf-4dab-42ed-ae55-1fa932edf088' has not yet been initialized and cannot be used.
ReplyDeleteI am taking my first steps in OpenSAML v3 (from v2) and it seems to be that you need to initialize everything like there is no tomorrow :)
Hi Stefan,
ReplyDeleteDo you know if there is a convenient way of validating assertion conditions. Looking through the code, I see there is a SAML20AssertionValidator class which has a validate method that performs validation of signature, conditions, subject confirmations etc. I was hoping this would be useful, but I am unsure of the way it is instantiated and used.
For now, I am manually verifying the notBefore and notAfter conditions of an assertion. Have you dealt with this before?
(I came across a similar unanswered stackoverflow question: https://stackoverflow.com/questions/49413351/opensaml-v3-validate-saml-response)
enterprise security audit I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people.
ReplyDeleteI am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
ReplyDeleteCyber Security Projects for Final Year
طرق مكافحة الحمام
ReplyDeleteشركة تركيب طارد حمام بالرياض
شركة طارد حمام بالرياض
شركة طارد حمام بالرياض
ReplyDeleteThis Blog was having a very comprehensive content. It is very easy to understanding writing ways. Thank you for the blog admin...
Embedded System Course Chennai
Embedded Training Institutes in Chennai
Corporate Training in Chennai
Power BI Training in Chennai
Appium Training in Chennai
Linux Training in Chennai
Tableau Training in Chennai
Pega Training in Chennai
Unix Training in Chennai
Primavera Training in Chennai
Embedded Training in Tambaram