Yeah, sorry. You don't need root CA cert in key/trust store. PL does not validates the
cert chain.
----- Original Message -----
From: "Adam Dong" <adamdong(a)vidder.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Thursday, October 16, 2014 12:50:09 PM
Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or
HTTP Redirect ?
Pedro,
Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's
cert with public key inside, but do I need to have that cert chain's root CA cert in
my trust store; in other words, does picketlink SP side library check trust on root CA ?
Thanks,
Adam
-----Original Message-----
From: Pedro Igor Silva [mailto:psilva@redhat.com]
Sent: Wednesday, October 15, 2014 2:40 AM
To: Adam Dong
Cc: security-dev(a)lists.jboss.org
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or
HTTP Redirect ?
----- Original Message -----
From: "Adam Dong" <adamdong(a)vidder.com>
To: security-dev(a)lists.jboss.org
Sent: Tuesday, October 14, 2014 9:01:15 PM
Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or
HTTP Redirect ?
Hi,
Instead of having to choose SPPostSignatureFromAuthenticator or
SPRedirectSignaturFormAuthenticator, can I just use
ServiceProviderAuthenticator and somehow configure it (in
picketlink.xml or metadata config file) to do post or redirect ?
Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete
examples.
[1]
https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration
[2]
https://github.com/jboss-developer/jboss-picketlink-quickstarts
Another question, on SP side, I understand I need to have IDP's cert
in my SP cert store to be able to validate assertion signature, but do
I need to have IDP cert's root CA in my trust store ? In other words,
does SP side code (picketlink library) check IDP cert's issuer against
SP's trust store ?
Yes, validation is performed on both sides. You need the issuer's public key on the
keystore of the verifier.
Thanks,
Adam
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev