[security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?

Pedro Igor Silva psilva at redhat.com
Thu Oct 16 12:04:17 EDT 2014


Good point. I'm not sure if XML Sig enforce these policies. But only check if the right keys are being used.

Need to take a look into the specs.

----- Original Message -----
From: "Adam Dong" <adamdong at vidder.com>
To: "Pedro Igor Silva" <psilva at redhat.com>
Cc: security-dev at lists.jboss.org
Sent: Thursday, October 16, 2014 12:59:58 PM
Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?

So PL doesn't validate cert chain and I remember it doesn’t check the expiration time of the cert.

Should it do both ? Are they part of digital signature verification ?

Thanks,
Adam

-----Original Message-----
From: Pedro Igor Silva [mailto:psilva at redhat.com] 
Sent: Thursday, October 16, 2014 8:52 AM
To: Adam Dong
Cc: security-dev at lists.jboss.org
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?

Yeah, sorry. You don't need root CA cert in key/trust store. PL does not validates the cert chain.

----- Original Message -----
From: "Adam Dong" <adamdong at vidder.com>
To: "Pedro Igor Silva" <psilva at redhat.com>
Cc: security-dev at lists.jboss.org
Sent: Thursday, October 16, 2014 12:50:09 PM
Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?

Pedro,

Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's cert with public key inside, but do I need to have that cert chain's root CA cert in my trust store; in other words, does picketlink SP side library check trust on root CA ?

Thanks,
Adam

-----Original Message-----
From: Pedro Igor Silva [mailto:psilva at redhat.com]
Sent: Wednesday, October 15, 2014 2:40 AM
To: Adam Dong
Cc: security-dev at lists.jboss.org
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?

----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: security-dev at lists.jboss.org
> Sent: Tuesday, October 14, 2014 9:01:15 PM
> Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?
> 
> Hi,
> 
> Instead of having to choose SPPostSignatureFromAuthenticator or 
> SPRedirectSignaturFormAuthenticator, can I just use 
> ServiceProviderAuthenticator and somehow configure it (in 
> picketlink.xml or metadata config file) to do post or redirect ?

Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete examples.

[1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration 

[2] https://github.com/jboss-developer/jboss-picketlink-quickstarts

> 
> Another question, on SP side, I understand I need to have IDP's cert 
> in my SP cert store to be able to validate assertion signature, but do 
> I need to have IDP cert's root CA in my trust store ? In other words, 
> does SP side code (picketlink library) check IDP cert's issuer against 
> SP's trust store ?

Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier.

> 
> Thanks,
> Adam
> 
> 
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> 



More information about the security-dev mailing list