https://wiki.umiacs.umd.edu/adapt/index.php?action=history&feed=atom&title=Saml%3AGetSamlTokenSaml:GetSamlToken - Revision history2026-04-07T09:12:42ZRevision history for this page on the wikiMediaWiki 1.43.7https://wiki.umiacs.umd.edu/adapt/index.php?title=Saml:GetSamlToken&diff=1985&oldid=prevScsong at 23:39, 11 September 20082008-09-11T23:39:30Z<p></p>
<p><b>New page</b></p><div>==Client connection to Authority==<br />
<br />
===Prepare keystore===<br />
<br />
You'll need to have a keystore that contains the following items:<br />
<br />
# Client keypair with public key signed by a CA that is known to the Authority<br />
# Copy of the Authorities public key to validate the returned assertion.<br />
<br />
Here's a sample on how to load the keystore and required certs.<br />
<br />
<pre><br />
import static edu.umiacs.wssec.Wss4jConstants.KEYSTORE_TYPE_DEFAULT;<br />
import static edu.umiacs.wssec.Wss4jConstants.KEYSTORE_PROVIDER_DEFAULT;<br />
<br />
...<br />
...<br />
public static final String KEYSTORE_PATH = "client.p12";<br />
public static final String KEYSTORE_ALIAS = "client";<br />
public static final String KEYSTORE_PASS = "client";<br />
public static final String KEYSTORE_AUTHORITY = "authority";<br />
<br />
Certificate clientCert;<br />
Certificate authorityCert;<br />
KeyStore keyStore;<br />
<br />
keyStore = KeyStore.getInstance(KEYSTORE_TYPE_DEFAULT,KEYSTORE_PROVIDER_DEFAULT);<br />
keyStore.load(new FileInputStream( new File(KEYSTORE_PATH) ), KEYSTORE_PASS.toCharArray());<br />
<br />
// check for alias of private key<br />
if (!keyStore.containsAlias(KEYSTORE_ALIAS)<br />
|| !(keyStore.getKey(KEYSTORE_ALIAS, KEYSTORE_PASS.toCharArray()) != null )) {<br />
<br />
System.err.println("cannot load keystore alias");<br />
}<br />
<br />
clientCert = keyStore.getCertificateChain(KEYSTORE_ALIAS)[0];<br />
authorityCert = keyStore.getCertificate(KEYSTORE_AUTHORITY);<br />
<br />
//For later, cache keystore<br />
CachedDoAllSender.setSignatureKeyStore(keyStore);<br />
</pre><br />
<br />
===Call Authority===<br />
<br />
Next, call the authority, get the certificate and convert it to a SAMLAssertion<br />
<br />
<pre><br />
// standard axis wsdl2java generated stubs. You can add extra handlers, wss4j, etc if you<br />
// authority uses it for authentication.<br />
Authority auth;<br />
AuthorityServiceLocator authSL;<br />
<br />
authSL = new AuthorityServiceLocator();<br />
authSL.setAuthorityEndpointAddress(SERVICE_AUTH_URL);<br />
auth = authSL.getAuthority();<br />
<br />
String samlToken = auth.authenticateClient(clientCert.getEncoded());<br />
<br />
// convert assertion<br />
SAMLAssertion assertion = new SAMLAssertion(<br />
new ByteArrayInputStream(samlToken.getBytes()));<br />
<br />
</pre><br />
<br />
===Validate Assertion===<br />
<br />
You need to validate that the assertion was issued by the authority you expected and not merely by another party w/ a key signed by the same CA as the authorities key. The easiet way to do this is to keep a copy of the authorities key locally.<br />
<br />
<pre><br />
// throws exception if it can't verify<br />
assertion.verify(authorityCert);<br />
<br />
// For later, cache assertion.<br />
CachedDoAllSender.setSamlAssertion(assertion);<br />
</pre></div>Scsong