Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?

So PL doesn't validate cert chain and I remember it doesn’t check the expiration time of the cert. Should it do both ? Are they part of digital signature verification ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: Thursday, October 16, 2014 8:52 AM To: Adam Dong Cc: security-dev(a)lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Yeah, sorry. You don't need root CA cert in key/trust store. PL does not validates the cert chain. ----- Original Message ----- From: "Adam Dong" <adamdong(a)vidder.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: security-dev(a)lists.jboss.org Sent: Thursday, October 16, 2014 12:50:09 PM Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Pedro, Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's cert with public key inside, but do I need to have that cert chain's root CA cert in my trust store; in other words, does picketlink SP side library check trust on root CA ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: Wednesday, October 15, 2014 2:40 AM To: Adam Dong Cc: security-dev(a)lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? ----- Original Message ----- Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete examples. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration [2] https://github.com/jboss-developer/jboss-picketlink-quickstarts Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier.