How to use a X509 certificate as a public key in SAML response

Question

I am working on the SP side of things. We have a SAML2 response from an IDP.

It looks something like the example here:

SAML: Why is the certificate within the Signature?

Now I am using OpenSaml2 to parse and process stuff in this xml file.

I need to pull out the certificate from the response and use it as a credential.

Till now I have done this:

Response response = (Response) xmlObject;
SAMLSignatureProfileValidator profileValidator = new 
SAMLSignatureProfileValidator();
Signature signature = response.getSignature();
Credential credential = null;
profileValidator.validate(signature);
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(signature);

In the above code the credential is temporarily "null", but I need it to be the public key, which is in the certificate. Any idea how I can do this?

Have been told that opensaml2 has methods like KeyInfoCredentialResolver to help with this but haven't seen an easy implementation of this.

score 2 · Accepted Answer · answered Mar 30 '18 at 19:00

I was able to resolve this using something like:

X509Certificate certificate = signature.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0);

        if (certificate != null) {
            //Converts org.opensaml.xml.signature.X509Certificate to java.security.cert.Certificate
            String lexicalXSDBase64Binary = certificate.getValue();
            byte[] decoded = DatatypeConverter.parseBase64Binary(lexicalXSDBase64Binary);

            try {
                CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
                Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(decoded));
                return cert;

How to use a X509 certificate as a public key in SAML response

1 Answers1