Reputation: 4153
I am trying to use Spring Security SAML as an SP for one of my projects. The SAML2.0 assertion is coming from a 3rd party system and has got a digital signature and the assertion is encrypted.
I tried to create a Java Key store with two certificates/keys (one for signature and one for encryption), but it doesn't work. If I have just one jks for either signature or decryption one of them works. Can't find any examples anywhere where there is signature and decryption used with two certificates/keys. Below is the JKSKeymanager configuration. Any help would be highly appreciated.
Which doesn't work
<beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<beans:constructor-arg value="file:${config.location}/defaultSAMLKeyStore.jks"/>
<beans:constructor-arg type="java.lang.String" value="Welcome1"/>
<beans:constructor-arg>
<beans:map>
<beans:entry key="samlAssertionEncryption" value="Welcome1"/>
<beans:entry key="samlSignature" value="Welcome1"/>
</beans:map>
</beans:constructor-arg>
<beans:constructor-arg type="java.lang.String" value="samlSignature"/>
</beans:bean>
Where signature/(or) decryption works when we interchange the keys
<beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<beans:constructor-arg value="file:${config.location}/defaultSAMLKeyStore.jks"/>
<beans:constructor-arg type="java.lang.String" value="Welcome1"/>
<beans:constructor-arg>
<beans:map>
<beans:entry key="samlSignature" value="Welcome1"/>
</beans:map>
</beans:constructor-arg>
<beans:constructor-arg type="java.lang.String" value="samlSignature"/>
</beans:bean>
Upvotes: 1
Views: 1939
Reputation: 4153
After spending some time, I found that this is not an issue. The Signature validation doesn't need a JKS keystore, as it is validated using the certificate-data/method in the SAML Response/Metadata. The only keystore required by us at the moment is for the decryption of the assertion and it works fine.
Upvotes: 2