On 5/3/11 4:28 PM, shri kanth s wrote:
> Hi,
>
> I just had a question related to signing SAML Messages using
> OpenSaml.
>
> We are IDP provider and there are several vendors who uses IDP
> services. When a message is initiated from IDP , IDP signs the message
> using a private key and the requestor in question validates it using
> the public key provided to them. When the ServiceProvider posts the
> SAML message, they will sign using a private key and the IDP/ other
> Service provider verifies the message usign a public key.
Just a technical point, but at least as far as SAML is concerned, SP's
typically don't send messages to other SP's, at least not in the common
and widely used profiles like the Web SSO profile.
>
> My question relates to
>
> 1) Can we use the same keystore at the IDP as well at the service
> provider end?
If you mean literally *can* you, yes. Technologically and
cryptographically it would work. If you mean *should* you do this,
absolutely not. This is especially true if the IdP and SP are not
owned/run by the same organization, which I'd gather is the case since
you imply that vendors are running the SP's.
> Which ideally means sharing same private and public key, What are
> security implications you can foresee in this scenario?
Keypairs are usually associated, one way or another, with a single
owning logical entity. Knowledge of the private key half of a keypair
means that that party can act as the owner of the keypair. In a SAML
context, this means they can issue protocol messages, assertions, etc as
if they are coming from the "real" owner of the keypair. It would allow
the SP for example to impersonate the IdP by issuing Assertions that
appear to come from the IdP. This means you've lost the fundamental
cryptographic properties of signer authentication and non-repudiation.
Also, if multiple SP's are using the same keypair, SP 1 would be able to
decrypt data that was encrypted for SP 2 by the IdP and vice versa.
That means a loss of the cryptographic property of confidentiality.
So no, you should not do this. You can consult any number of books,
references on the Internet, etc on the basics of asymmetric key
cryptography, how it works and the kinds of problems it is intended to
solve.
--Brent
I am getting SAML response token from ADFS using request:get-parameter("SAMLResponse", "") method. My question here is if parameter name - "SAMLResponse" is standard? Or it can be different depends on identity provider? I try to figure out if it is ok to harcode "SAMLResponse" or make it configurable.
Thanks.
Gina
Also, OpenSAML makes doing this manual processing unnecessary. We have
components called decoders (and encoders) that handle all of this for you.
1. http://saml.xml.org/saml-specifications
Thanks for your response and link to saml specifications. We are using HTTP
POST binding and as you said, according to the spec, it must use
"SAMLResponse". I have Assertions and Protocols for the OASIS Security
Assertion Markup Language (SAML) V2.0 OASIS Standard, 15 March 2005, but I
don't remember that it mention about form control name.
Thanks again.
Gina