Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How the certificate use from SP keystore spring saml

Tags:

spring-saml

I am currently Implementing Spring SAMl to configure my SP. I have received a metadata XML from IDP which I put it in the metadata folder. 1. Now while starting I got Exception is No IDP is configured,so find out that it is due to the certificate is not valid. Now I just import the certificates to samlKeystore.jks and put metadataTrustCheck = false in ExtendedMetadataDelegate bean and this helped me to start the SP without any error and I am getiing a redirection form IDP to SP and I can achieve what I need.
2. Now I just removed the Certificates that been provided by IDP which I had kept in samlKeystore.jks and restart the application then also there is no issue with the communication between IDP and SP.

I have now some of query which I need help to understand. The certificate provided to me From IDP which I have imported to my samlKeystore.jks, is there any use for these as the response come with signature and certificate from IDP. For validation the response we should use the certificate and signature in the response.

Do I expect to do metadataTrustCheck = true and correct the IDP metadata if yes how to correct it as I have certificate chain.

like image 866
Vawani Avatar asked Jul 03 '15 07:07

Vawani


People also ask

What is keystore in SAML?

Certificates in SAML SSO will be used to digitally sign the SAML assertion/request/response and KeyStore is the persistent storage to store the keys/certificates.

Does spring boot support SAML?

Spring SAML Extension allows seamless inclusion of SAML 2.0 Service Provider capabilities in Spring applications. All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS 2.0, Shibboleth, OpenAM/OpenSSO, Ping Federate, Okta) can be used to connect with Spring SAML Extension.

Which of the following will store the public and private keys in SAML?

Assuming SAML signing has been implemented, the keypair (private/public key) for SAML encryption and signing is stored in the AM keystore, which differs depending on which version you are using.


1 Answers

The metadata document you receive from IDP contains certificates which will be used by IDP to digitally sign SAML messages it will be sending towards your SP. There is no need to import these to samlKeystore.jks, as they are already present in the metadata.

The metadata document itself may also be digitally signed (to make sure nobody modified it before it reaches you). Now when metadataTrustCheck = true Spring SAML will try to verify that this signature is valid and in order to do that it needs to know whether to trust certificate which was used to create the signature.

So you need to communicate to Spring SAML which certificates do you trust for signing of metadata documents - and you do so by importing them to the samlKeystore.jks.

If you trust that the metadata document you have is correct, simply disable the metadataTrustCheck and do not import any public certificates to the samlKeystore - just rely on what's in the metadata document itself.

like image 173
Vladimír Schäfer Avatar answered Sep 19 '22 14:09

Vladimír Schäfer