axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-yves motreff <pymotr...@gmail.com>
Subject How to validate SAML2.0 assertion with axis2
Date Wed, 09 Nov 2011 10:16:22 GMT
Hi,

I have developed the server side of a WebService with Axis2. Now I have to
securise this side with SAML 2.0.
The client side is developed by an other company, and contains already the
signed saml assertion (x509 certificate), see an example :

<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"
ID="_86bb16eb-3f39-0410-9d53-919a2d5a47b9" Version="2.0"
IssueInstant="2007-09-03T19:09:56Z">
  <saml:Issuer>issuer</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
      <Reference URI="#_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
        <Transforms>
          <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>59QJ/N...zTtwPZIw0=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>QKWB9mK...tQnWRFmL78=</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>MIIB2DCCAUG...61mFkJn7/Ng=</X509Certificate>
        <X509Certificate>MIIB4jCCAUu...GFe7QdEO</X509Certificate>
        <X509Certificate>MIIB3TCCAUa...BqxwnpnpA==</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
  <saml:Subject>
    <saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sourceID</saml:NameID>
    <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">
      <saml:SubjectConfirmationData NotOnOrAfter="2007-09-03T20:10:06Z"
Recipient="recip_id" />
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2007-09-03T19:09:46Z"
NotOnOrAfter="2007-09-03T20:10:06Z">
    <saml:AudienceRestriction>
      <saml:Audience>http://adresse</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2007-09-03T17:44:57Z"
SessionIndex="_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
    <saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
....

I passed a long time on google to find examples of assertion validation,
but i didn't find anything... I found some example of STS module, but if I
understand this module delivers an assertion, but my client's request
contains the assertion alredy ....
So I have develop my own axis2 module to validate the assertion with
opensaml library.
But I want to know if it's possible to do the validation with rampart, for
me it will be more secure to use a standart implementation than my own
module.

thanks in advance for your help.

Regards

Mime
View raw message