CODEWITHSUNDEEP
spring-securitysaml-2.0spring-saml
avijendr
avijendr

Reputation: 4153

Spring Security SAML - Signature and Decryption

I am trying to use Spring Security SAML as an SP for one of my projects. The SAML2.0 assertion is coming from a 3rd party system and has got a digital signature and the assertion is encrypted.

I tried to create a Java Key store with two certificates/keys (one for signature and one for encryption), but it doesn't work. If I have just one jks for either signature or decryption one of them works. Can't find any examples anywhere where there is signature and decryption used with two certificates/keys. Below is the JKSKeymanager configuration. Any help would be highly appreciated.

Which doesn't work

<beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
        <beans:constructor-arg value="file:${config.location}/defaultSAMLKeyStore.jks"/>
        <beans:constructor-arg type="java.lang.String" value="Welcome1"/>
        <beans:constructor-arg>
            <beans:map>
                <beans:entry key="samlAssertionEncryption" value="Welcome1"/>
                <beans:entry key="samlSignature" value="Welcome1"/>
            </beans:map>
        </beans:constructor-arg>
        <beans:constructor-arg type="java.lang.String" value="samlSignature"/>
</beans:bean>

Where signature/(or) decryption works when we interchange the keys

<beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
        <beans:constructor-arg value="file:${config.location}/defaultSAMLKeyStore.jks"/>
        <beans:constructor-arg type="java.lang.String" value="Welcome1"/>
        <beans:constructor-arg>
            <beans:map>
                <beans:entry key="samlSignature" value="Welcome1"/>
            </beans:map>
        </beans:constructor-arg>
        <beans:constructor-arg type="java.lang.String" value="samlSignature"/>
</beans:bean>

Upvotes: 1

Views: 1939

Answers (1)

avijendr
avijendr

Reputation: 4153

After spending some time, I found that this is not an issue. The Signature validation doesn't need a JKS keystore, as it is validated using the certificate-data/method in the SAML Response/Metadata. The only keystore required by us at the moment is for the decryption of the assertion and it works fine.

Upvotes: 2

Related Questions