[security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?
adamdong at vidder.com
Thu Oct 16 11:50:09 EDT 2014
Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's cert with public key inside, but do I need to have that cert chain's root CA cert in my trust store; in other words, does picketlink SP side library check trust on root CA ?
From: Pedro Igor Silva [mailto:psilva at redhat.com]
Sent: Wednesday, October 15, 2014 2:40 AM
To: Adam Dong
Cc: security-dev at lists.jboss.org
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?
----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: security-dev at lists.jboss.org
> Sent: Tuesday, October 14, 2014 9:01:15 PM
> Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?
> Instead of having to choose SPPostSignatureFromAuthenticator or
> SPRedirectSignaturFormAuthenticator, can I just use
> ServiceProviderAuthenticator and somehow configure it (in
> picketlink.xml or metadata config file) to do post or redirect ?
Yes, you can. Please, take a look at . You may also check the quickstarts for concrete examples.
> Another question, on SP side, I understand I need to have IDP's cert
> in my SP cert store to be able to validate assertion signature, but do
> I need to have IDP cert's root CA in my trust store ? In other words,
> does SP side code (picketlink library) check IDP cert's issuer against
> SP's trust store ?
Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier.
> security-dev mailing list
> security-dev at lists.jboss.org
More information about the security-dev