Validate IDP initiated SAML2.0 Response

java jsp tomcat6 saml-2.0 opensaml
Ramesh Kumar picture Ramesh Kumar · Jul 25, 2013 · Viewed 10.3k times · Source

SAML experts please help!!!!

Am very new to SAML and JSP. I wanna validate a IDP(identity provider) initiated SAML response token using Opensaml library in java(Environment linux,Tomcat6.0) and retrieve the Attribute information sent such as userid,username,email.The SAML response is not encrypted and i have the idp's trust certificate installed in my java keystore.The SAML token profile is "web browser SSO" and it uses HTTP-POST Binding.The certificate has a public key in it.Do i need a private key to validate?What are the steps to be done for a succesful validation?Just a digital signature validation is enough to trust the source?Should i do profile validation or something else? Below given is the SAML Response i will be receiving from the IDP. Please let me know if you need any more information?Sorry if i did not give enough information.Please help me...Thanks in advance.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="XYZ" Version="2.0" IssueInstant="2013-07-10T16:43:54Z" Destination="http://www.testsp.com">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.testidp.com:8080/opensso</saml:Issuer> 
- <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> 
  </samlp:Status>
- <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xyz" IssueInstant="2013-07-10T16:43:51Z" Version="2.0">
  <saml:Issuer>http://www.testidp.com:8080/opensso</saml:Issuer> 
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
- <ds:Reference URI="#xyz">
- <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
  <ds:DigestValue>...hdfb3454jh545dfbj545423df....=</ds:DigestValue> 
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>..................hsdgysgdyyusgfdfb98738e43hjrg874y474h7y8r............=</ds:SignatureValue> 
- <ds:KeyInfo>
- <ds:X509Data>
  <ds:X509Certificate>............./KPm0qLP8vCOhyI76AUE6jL NFeTlcAe3B6hOdfKCiu+EtHeZC2i/8jf1rHDNPey4TS1MQj/.......
</ds:X509Certificate> 
  </ds:X509Data>
  </ds:KeyInfo>
  </ds:Signature>
- <saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://www.testidp.com:8080/opensso" SPNameQualifier="http://www.testsp.com">....Zeq8NhJKRKDXUwx67ytuynwj4n...</saml:NameID> 
- <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <saml:SubjectConfirmationData NotOnOrAfter="2013-07-10T16:53:51Z" Recipient="http://www.testsaml.com/tespsamlmodule" /> 
  </saml:SubjectConfirmation>
  </saml:Subject>
- <saml:Conditions NotBefore="2013-07-10T16:33:51Z" NotOnOrAfter="2013-07-10T16:53:51Z">
- <saml:AudienceRestriction>
  <saml:Audience>http://www.testsaml.com/tespsamlmodule</saml:Audience> 
  </saml:AudienceRestriction>
  </saml:Conditions>
- <saml:AuthnStatement AuthnInstant="2013-07-10T16:36:35Z" SessionIndex="......erer54t54y45y75666y65y65y....">
- <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> 
  </saml:AuthnContext>
  </saml:AuthnStatement>
- <saml:AttributeStatement>
- <saml:Attribute Name="UID">
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ab123</saml:AttributeValue> 
  </saml:Attribute>
- <saml:Attribute Name="uname">
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">robert</saml:AttributeValue> 
  </saml:Attribute>
- <saml:Attribute Name="EmailAddress">
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml:AttributeValue> 
  </saml:Attribute>
  </saml:AttributeStatement>
  </saml:Assertion>
  </samlp:Response>

Answer

Stefan Rasmusson picture Stefan Rasmusson · Aug 1, 2013

You need to validate the responce according to the SAML spec. There are some functionaliy for doing this in OpenSAML but i seems the safest bet is to write your own validation code. see. http://marc.info/?t=137354098500007&r=1&w=2

You must also validate signature. As with all signature verification you use the public key. Here is some I wrote on my blog about OpenSAML signatur verification. http://mylifewithjava.blogspot.no/2012/11/verifying-signatures-with-opensaml.html

I have more on signing and encryption using OpenSAML in my book, A Guide to OpenSAML

Related questions

Character encoding issue with Tomcat

There is strange character encoding going on. I am using JSP (JSTL) and Struts with Tomat 6. I have my JSP page encoding as such: <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> The issue is when I try …

Read More
Log4jConfigListener cannot be found -- context fails to start

I am trying to set up a web application on Eclipse. I am using Tomcat 6.0 and jdk 1.6.0_23. For some reason I am getting this error: SEVERE: Error configuring application listener of class org.springframework.web.util.Log4jConfigListener java.lang.…

Read More
"PKIX path building failed" and "unable to find valid certification path to requested target"

I'm trying to get tweets using twitter4j library for my java project. On my first run I got an error about certificate sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException. Then I added twitter certificate by: C:\…

Read More