Personal tools

Saml:GetSamlToken

From Adapt

Revision as of 23:39, 11 September 2008 by Scsong (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Client connection to Authority

Prepare keystore

You'll need to have a keystore that contains the following items:

  1. Client keypair with public key signed by a CA that is known to the Authority
  2. Copy of the Authorities public key to validate the returned assertion.

Here's a sample on how to load the keystore and required certs.

import static edu.umiacs.wssec.Wss4jConstants.KEYSTORE_TYPE_DEFAULT;
import static edu.umiacs.wssec.Wss4jConstants.KEYSTORE_PROVIDER_DEFAULT;

...
...
    public static final String  KEYSTORE_PATH      = "client.p12";
    public static final String  KEYSTORE_ALIAS     = "client";
    public static final String  KEYSTORE_PASS      = "client";
    public static final String  KEYSTORE_AUTHORITY = "authority";

    Certificate clientCert;
    Certificate authorityCert;
    KeyStore    keyStore;
            
    keyStore = KeyStore.getInstance(KEYSTORE_TYPE_DEFAULT,KEYSTORE_PROVIDER_DEFAULT);
    keyStore.load(new FileInputStream( new File(KEYSTORE_PATH) ), KEYSTORE_PASS.toCharArray());
            
    // check for alias of private key
    if (!keyStore.containsAlias(KEYSTORE_ALIAS)
        || !(keyStore.getKey(KEYSTORE_ALIAS, KEYSTORE_PASS.toCharArray()) != null )) {
                
        System.err.println("cannot load keystore alias");
    }

    clientCert      = keyStore.getCertificateChain(KEYSTORE_ALIAS)[0];
    authorityCert   = keyStore.getCertificate(KEYSTORE_AUTHORITY);

    //For later, cache keystore
    CachedDoAllSender.setSignatureKeyStore(keyStore);

Call Authority

Next, call the authority, get the certificate and convert it to a SAMLAssertion

    // standard axis wsdl2java generated stubs. You can add extra handlers, wss4j, etc if you
    // authority uses it for authentication.
    Authority               auth;
    AuthorityServiceLocator authSL;

    authSL = new AuthorityServiceLocator();
    authSL.setAuthorityEndpointAddress(SERVICE_AUTH_URL);
    auth = authSL.getAuthority();

    String samlToken = auth.authenticateClient(clientCert.getEncoded());

    // convert assertion
    SAMLAssertion assertion = new SAMLAssertion(
            new ByteArrayInputStream(samlToken.getBytes()));

Validate Assertion

You need to validate that the assertion was issued by the authority you expected and not merely by another party w/ a key signed by the same CA as the authorities key. The easiet way to do this is to keep a copy of the authorities key locally.

    // throws exception if it can't verify
    assertion.verify(authorityCert);

    // For later, cache assertion.
    CachedDoAllSender.setSamlAssertion(assertion);