Hi, I have developed the server side of a WebService with Axis2. Now I have to securise this side with SAML 2.0. The client side is developed by an other company, and contains already the signed saml assertion (x509 certificate), see an example :
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"; ID="_86bb16eb-3f39-0410-9d53-919a2d5a47b9" Version="2.0" IssueInstant="2007-09-03T19:09:56Z"> <saml:Issuer>issuer</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#"; /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> <Reference URI="#_86bb16eb-3f39-0410-9d53-919a2d5a47b9"> <Transforms> <Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> <DigestValue>59QJ/N...zTtwPZIw0=</DigestValue> </Reference> </SignedInfo> <SignatureValue>QKWB9mK...tQnWRFmL78=</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIB2DCCAUG...61mFkJn7/Ng=</X509Certificate> <X509Certificate>MIIB4jCCAUu...GFe7QdEO</X509Certificate> <X509Certificate>MIIB3TCCAUa...BqxwnpnpA==</X509Certificate> </X509Data> </KeyInfo> </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sourceID</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"> <saml:SubjectConfirmationData NotOnOrAfter="2007-09-03T20:10:06Z" Recipient="recip_id" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2007-09-03T19:09:46Z" NotOnOrAfter="2007-09-03T20:10:06Z"> <saml:AudienceRestriction> <saml:Audience>http://adresse</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2007-09-03T17:44:57Z" SessionIndex="_86bb16eb-3f39-0410-9d53-919a2d5a47b9"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> .... I passed a long time on google to find examples of assertion validation, but i didn't find anything... I found some example of STS module, but if I understand this module delivers an assertion, but my client's request contains the assertion alredy .... So I have develop my own axis2 module to validate the assertion with opensaml library. But I want to know if it's possible to do the validation with rampart, for me it will be more secure to use a standart implementation than my own module. thanks in advance for your help. Regards
