I'm new to SAML, so please forgive any stupid questions.
I am on the SP side of a SAML AuthnResponse. It is signed, but
the Signature doesn't have a KeyInfo element. However, I do
have the metadata file with
the public signing key. It seems most of the Signature
validation examples assume that
there is a KeyInfo, so I'm trying to figure out how to use the
public key in the
metadata file.
If anyone has an example, please let me know.
FYI, below is what I'm trying. It seems to me that it should
work but
I keep getting an invalid signature error. Can you see anything
that
I'm doing wrong?
public void testValidateSignature() throws Exception {
DefaultBootstrap.bootstrap();
DOMMetadataProvider mdProvider = getMetadataProvider();
EntityDescriptor entityDescriptor = (EntityDescriptor) mdProvider.getMetadata();
MetadataCredentialResolver mdResolver = new MetadataCredentialResolver(mdProvider);
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new
EntityIDCriteria(entityDescriptor.getEntityID()));
criteriaSet.add(new
MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME,
null));
Credential signingCredential = mdResolver.resolve(criteriaSet).iterator().next();
Response authnResponse = getAuthnResponse();
Signature signature =
authnResponse.getAssertions().get(0).getSignature();
SignatureValidator sigValidator = new SignatureValidator(signingCredential);
sigValidator.validate(signature); // always returns
false
}