I am in process of creating an SAML 2.0 response from IDP to SP. What I need is to get the values of the SAML 2.0 attributes from the certificate I got. Following are the SAML 2.0 attributes:
`<ds:SignatureValue> value from certificate </ds:SignatureValue>
<ds:DigestValue> value from certificate </ds:DigestValue>
`
And also can anybody guide me that what exactly are the steps I need to perform on SP side to successfully validate the generated SignatureValue form the given certificate.
Thanks!
There is an Oracle tutorial for how to validate XML digital signatures using the java.xml.crypto.dsig APIs:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html
Unfortunately I did not have an easy time actually locating the code samples to download. I did find one bit of the sample validation code here.
Another good article is here.
At some point you'll need to obtain your SP's public key from the certificate and provide it to your validation code - that's covered in the tutorial under using KeySelectors section. You can use the keytool command to extract from the certificate and add it to a keystore. Sometimes this comes from key/certificate exchange offline; sometimes the key itself comes within the SAML document as X.509 data within<KeyInfo>.
Related
Basically, what I'm trying to achieve is making a private key/public certificate pair in order to export it to a pkcs12 repo. Certificate fields are to be populated with data that a user inserts through standard input or a GUI. This is a problem because I've only been able to find ways of loading an existing certificate and getting its v3 extensions, but not setting them. Additionaly, I would like to avoid using any external libraries such as BouncyCastle.
So far I've been able to produce a certificate using sun.security.tools.keytool.CertAndKeyGen class and X500Name object but I haven't found any method for feeding it an E-mail info since the X500Name doesn't have an appropriate constructor, as well as version 3 extensions (specifically basic constraints, alternative issuer name and key usage).
On the other hand, I have been looking into java.security.cert.CertificateFactory and its generateCertificate() method. It expects an InputStream of a base64 encoded existing certificate as an argument. So, to fullfill my requirements of generating a certificate and not loading an existing one, I've found a way of getting an InputStream from a String:
InputStream stream = new ByteArrayInputStream(exampleString.getBytes("UTF-8"));
I know that this string should begin with BEGIN CERTIFICATE and end with END CERTIFICATE to mimic an actual certificate but I don't know how to generate it from raw data.
So, to summarize my question: Is there a way to programatically populate an empty X.509 certificate with fields including e-mail and v3 extensions without using external libraries such as BouncyCastle?
Thanks in advance.
I'm trying to adapt this example to use with GAE: https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
Above example requires a private key (secret) to sign JWT header + payload. AppIdentityService provides a way to sign arbitrary bytes but it does not explain how to verify the signature using PublicCertificate.
I need help to identify 2 things-
How to store and manage secret key in Google App Engine?
How to verify signature using AppIdentityService?
A reference to some working example which uses JWT with GAE would be very helpful.
An adaptation of the example at https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples that should work, if GAE signs using RSASSA-PKCS1-v1_5 using SHA-256, is in the first comment of https://bitbucket.org/b_c/jose4j/issues/33/using-jwt-with-google-app-engine
I have a Java web application. And I want to implement SAML SSO login for my application.
What I am trying to do is,
Need one sample identity provider certificate
Create a separate JSP application which will sign certificate and create assertion for my app.
Upload the public key of the certificate and save in keystore.
Whenever a user tries to login, the assertion from JSP application will be created and send to my web app.
Validate the public key with the key in keystore and proceed further.
Please correct me if I am wrong in this.
Also where can I find a sample identity provider certificate? Or may be how to create one?
Also is there any sample JSP application that can create assertion and send to my application?
Thanks.
You can get free account at PingOne from Ping Identity.
After that you will be provided with certificate and meta information to use PingOne as identity provider.
Also you can try TestShib or OpenIdP.
You can use keytool command to manage certificates at your local system.
If you use JBoss AS/Wildfly then I suggest using Picketlink, you can find documentation here.
I'm trying to write a java code to authenticate the graph API by the Azure Access Control Service (ACS) using OAuth 2.0.
Based on what I've read, They are four steps to this
Generate an assertion which includes the Service Principal’s X.509 Certificate (alternatively, a symmetric key can also be used).
Present the assertion to the Azure ACS Security Token Service (STS).
ACS accepts the assertion and authenticates the Service Principal, returning a minted OAuth access token (i.e. JWT token).
Subsequent API call submissions include the access token.
Can anyone tell me, where do I begin this from? For example, where can I find the java api, how do I generate a symmetric key or an assertion with X.509 cert. I want to create an java app which will create users in the office 365 and authenticating is the initial step. Thanks for the help
I think you would need to start from here:
How to Authenticate Web Users with Windows Azure Access Control Service Using Eclipse - This example uses Windows Live ID for the identity provider, a similar technique could be used for other identity providers as applicable.
Once you have your Java based code is authenticating users successfully you can go ahead and implement further to connect with other providers.
I am trying to implement Spring WS Security using Signature in both server and client side.
I have added the WSS4J interceptors in both client and server configurations.
However, I am getting an exception that states:No WS-Security header found.
I think I need to add some security information in my SOAP Request Header in my client. But since my wsdls do not have any security information, wsdlimport tool does not generate any header specific method.
I looked at this link : http://forum.springsource.org/archive/index.php/t-52204.html but it does not help in resolving the issue.
Can you please help?
Thanks.
It is the issue of key store, Server must have keystore containing the private key and client must have keystore that contnains public key generated from the same private key.