/** * Verify saml profile request if needed. * * @param profileRequest the profile request * @param resolver the resolver * @param request the request * @param context the context * @throws Exception the exception */ public void verifySamlProfileRequestIfNeeded(final RequestAbstractType profileRequest, final MetadataResolver resolver, final HttpServletRequest request, final MessageContext context) throws Exception { val roleDescriptorResolver = getRoleDescriptorResolver(resolver, context, profileRequest); LOGGER.debug("Validating signature for [{}]", profileRequest.getClass().getName()); val signature = profileRequest.getSignature(); if (signature != null) { validateSignatureOnProfileRequest(profileRequest, signature, roleDescriptorResolver); } else { validateSignatureOnAuthenticationRequest(profileRequest, request, context, roleDescriptorResolver); } }
/** * Validate the signature of an assertion * * @param request SAML Assertion, this could be either a SAML Request or a * LogoutRequest * @param alias Certificate alias against which the signature is validated. * @param domainName domain name of the subject * @return true, if the signature is valid. * @throws IdentitySAML2QueryException When signature is invalid or unable to load credential information */ public static boolean validateXMLSignature(RequestAbstractType request, String alias, String domainName) throws IdentitySAML2QueryException { boolean isSignatureValid = false; if (request.getSignature() != null) { try { X509Credential cred = OpenSAML3Util.getX509CredentialImplForTenant(domainName, alias); SignatureValidator.validate(request.getSignature(), cred); return true; } catch (SignatureException e) { log.error("Unable to validate Signature of the request id:"+request.getID()+" with alias:" +alias+" ,domainname: "+domainName,e); throw new IdentitySAML2QueryException("Unable to validate Signature of the request id:"+request.getID()+" with alias:" +alias+" ,domainname: "+domainName,e); } } return isSignatureValid; }
getValidatingCertificate(idp, parsedRequest.getIssuer().getValue()); Crypto issuerCrypto = new CertificateStore(new X509Certificate[] {validatingCert}); validateRequestSignature(parsedRequest.getSignature(), issuerCrypto); } else if (signature != null) {