opensaml

问题 I'm trying to integrate the Spring Saml library in a sample webapplication, using Shibboleth as IDP. I'm able to load the login page, to login and to show the index page. The problem is that when I click on other links the webapp redirect me to the login page, then the IDP recognizes me and redirects to the requested page (if the network is fast it's very difficult to see this). It's like I'm not logged in for Spring security. I checked the log and I found this: org.springframework.security

问题 I've seen a bunch of flow chart on how it is passed around between Identity Provider (IdP), Service Provider (SP), and Browser via Redirects. However it seems unnecessary to me right now, so i know i'm missing something. Can someone provide me a use case where a SAML Artifact is required (or very useful) compared to not using one? Thank you. 回答1: Typically, the intent of the artifact binding is to reduce the flow of SAML messages through the browser itself. This could be due to browser

问题 How to validate SAML assertion signatures? for (Assertion assertion : samlResponse.getAssertions()) { try { if (assertion.getSignature() != null) { Optional<X509Certificate> x509Certificate = assertion.getSignature().getKeyInfo().getX509Datas() .stream() .findFirst() .map(x509Data -> x509Data.getX509Certificates() .stream() .findFirst() .orElse(null) ); if (x509Certificate.isPresent()) { BasicX509Credential credential = new BasicX509Credential(); credential.setEntityCertificate(KeyInfoHelper

问题 I am completely new to SAML, I just build the saml but per requirement I also need to add KeyInfo and x509 certificate nodes including client’s public cert, I have used below code to generate the signature element, but dont know how to add KeyInfo & X509Data inside signature. needing help on this? BasicX509Credential signingCredential = new BasicX509Credential(); //Namespace nameSpaceSAML = new Namespace("http://www.w3.org/2000/09/xmldsig#","ds"); KeyStore keyStore = getKeyStore(

问题 The following are just a few samples of logging statements that come out on my Tomcat 7 console. Most are coming from open saml or hibernate and I'm trying to prevent them from coming out. I am using logback and have the root logger and all other loggers at WARN or above and I can't figure out why certain libraries continue to log out INFO and DEBUG level statements. Any ideas? 14:40:45.360 [localhost-startStop-6] DEBUG org.opensaml.xml.XMLConfigurator - {http://docs.oasis-open.org/wss/2004

问题 In SAML metadata file there are several NameID format defined, for example: <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> Can anybody explain what are these used for? What are the differences? 回答1: Refer to Section 8.3 of this SAML core pdf of oasis SAML specification. SP and IdP usually communicate each other

问题 I am trying an Android project using OpenSAML using Eclipse. I have added all the required jar files in the build path. Now, when I run the program as an Android Application the following error shows up: [2012-11-18 11:52:59 - Dex Loader] Unable to execute dex: Cannot merge new index 67075 into a non-jumbo instruction! [2012-11-18 11:52:59 - MyTestProgram] Conversion to Dalvik format failed: Unable to execute dex: Cannot merge new index 67075 into a non-jumbo instruction! I googled a bit, but

问题 I have SP installed on a machine. I need to have it configured to multiple idP depending upon the url. Ex. We have two hosts one.myorg.com and two.myorg.com both point to same module/machine - so same SP. Now I need my sp configured as if one.myorg.com/secure is hit SP should go to https://testshib.com/idp for authentication and else two.myorg.com/secure is hit SP should go to https://myown.idp.com idp. EDIT: It should not ask to choose the idP. 回答1: In case this is still actual, you can find

问题 We have a spring web app, and a third party application which need to know which user is logged in into the Spring application. Once the user is logged in the Spring app, he will have the possibility to access the third-party app in a transparent manner. For that purpose, we have to use SAML (third app need). So the Spring web app will work as an IDP, in an IDP-initiated way. I found OpenSAML library, and this : http://blog.keksrolle.de/2010/07/27/how-to-create-a-valid-saml-2-0-assertion-with

问题 Should a SAML federation software accept the same SAML response as long as it is within the allowed SAML token lifetime? In simpler terms: IDP (identify provider) issues a SAML response, then SP (service provider) accepts/processes it. Can the same unmodified SAML response be then re-used immediately after the first use? Given that the SAML issuance timestamp is within allowed range. Security-wise it makes sense to restrict a SAML token (response) to only one use, so that even if it is stolen