2

I implement a SAML SP in Java.
I send an AuthnRequest to SAML 2.0 IDP and gets an encrypted response.
My question is:
How do I make sure that the response indeed comes from the IDP and not from a hacker?
It is not enough to validate the signature, since this only tells me that the sender has a matching pair of private/public keys, but it could be anyone.
So, I need the IDP to supply me in advance a certificate which I upload to a jks file, and compare it each time to the certificate I extract from the ds:X509Certificate element of the response.
Now, is there a standard way of comparing the sender's certificates with the one stored in my keystore?
I saw the following code:

 KeyStore keyStore = getKS();
 PKIXParameters params = new PKIXParameters(keyStore);
 params.setRevocationEnabled(false);
 CertPath certPath = certificateFactory.generateCertPath(Arrays.asList(certFromResponse));
 CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
 CertPathValidatorResult result = certPathValidator.validate(certPath, params);

Is it enough? If the validation doesn't throw an exception it verifies the sender's identity?

user1825949
  • 255
  • 1
  • 8
  • 14
  • Hi, How did you send request and got the response? I am also trying to implement SAML SSO – iCode Oct 22 '14 at 10:23

1 Answers1

4

This is the way i have solved the verification of signatures with OpenSAML

https://blog.samlsecurity.com/2012/11/verifying-signatures-with-opensaml.html

I have also written a book, A Guide to OpenSAML, where I explain in detail encryption and signing and more using OpenSAML.

What is important with the OpenSAML verification methods is that they only verify the cryptographic validity of the signature (That the content has not been changed). It does not however verify that the sender is someone that you trust.

The Signature validator is instantiated with the public key of the sender to validate against, the public key of the sender. This is normally exchanged is the setup of an identity federation using SAML Metadata

Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
  • Thanks! As I see, you wrote: "PS. This validation only performs a cryptographic validation of the signature. It does not check the certificate used for signing against any trusted CA. To confirm the validity of the certificate a trust engine must be used in the validation.". This is exactly what I need - confirm the validity of the certificate. Do you know a way to do it? – user1825949 Jan 30 '13 at 13:26
  • 1
    This solution verifies the signature against the public key exchanged in meta data. It is normal to do this exchange in metadata, this also removes the need for any external CA. In the example "cred" contains the public key to verify against – Stefan Rasmusson Jan 30 '13 at 15:05
  • O.K, I think I got it. Thanks! – user1825949 Jan 30 '13 at 15:29
  • Mark the answer correct if it solved your problem. Otherwise get back to me with a comment. I'm glad to answer any questions about OpenSAML – Stefan Rasmusson Jan 30 '13 at 15:32
  • 5
    This answer, though accepted, doesn't contain any information – Stephen Crosby May 22 '15 at 22:46
  • I see that some of the solution is in the comment. I have added more information to the answer. Hope it helps – Stefan Rasmusson May 24 '15 at 15:48