3 Replies Latest reply on Dec 13, 2011 12:27 PM by Scott Lopez

    Need sample config for XML Signature Validation and encryption

    Joe Kohut Newbie

      Hi folks,

       

      I have successfully deployed PicketLink 2.0.1 into JBoss EAP 5.1 and I am able to authenticate using the IDP to generate the SAML assertion for the Employee sample app. However, I noticed the SAML assertion is not signed. I have not been able to find any documentation in the 1.0 Guide that works for 2.0 (in fact, the 1.0 guide still has many blank sections). I have found nothing at all for encryption other than a discussion post from November asking for the same information. I like what I have working so far and really appreciate the Community PicketLink efforts, but we cannot continue to pursue PicketLink without substantial examples on how to configure for signed SAML.

       

      If anyone see my flare in the fog and can throw me a line, I'd be grateful. TIA.

        • 1. Re: Need sample config for XML Signature Validation and encryption
          Scott Lopez Newbie

          The way I got the signature to work was to add the following in the picketlink-sts.xml file in the source folder:

           

          <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"

              STSName="PicketLinkSTS" TokenTimeout="7200" EncryptToken="false">

          <!-- START OF KEYS -->

              <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">

                  <Auth Key="KeyStoreURL" Value="sts.jks"/>

                    <Auth Key="KeyStorePass" Value="password"/>

                    <Auth Key="SigningKeyAlias" Value="sts"/>

                    <Auth Key="SigningKeyPass" Value="password"/>

                    <!-- <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/> -->

              </KeyProvider>

          <!-- END OF KEYS -->

              <TokenProviders>

          ... REMAINDER OF CONFIG ...

          • 2. Re: Need sample config for XML Signature Validation and encryption
            Joe Kohut Newbie

            Thanks for replying, Scott.

             

            The only thing I see different in your file is that you commented out:

                <!-- <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/> -->

             

            I still get this behavior:

             

            2011-12-13 11:39:17,942 TRACE [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] Retrieved saml messages and relay state from sessionsaml Request message=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vdHRmbHg0MjM6MTgwODAvZW1wbG95ZWUtcG9zdC8iIERlc3RpbmF0aW9uPSJodHRwOi8vdHRmbHg0MjM6MTgwODAvaWRwLyIgSUQ9IklEX2QwMTlmZmIxLTZlMDEtNDQwMy1hNjY5LWYzYWE4OWM2NjMzMCIgSXNzdWVJbnN0YW50PSIyMDExLTEyLTEzVDExOjM5OjA5LjEwNy0wNTowMCIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vdHRmbHg0MjM6MTgwODAvZW1wbG95ZWUtcG9zdC88L3NhbWw6SXNzdWVyPjxzYW1scDpOYW1lSURQb2xpY3kgQWxsb3dDcmVhdGU9InRydWUiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ii8+PC9zYW1scDpBdXRoblJlcXVlc3Q+::SAMLResponseMessage=null:relay state=nullSignature=null::sigAlg=null

             

            You can see that there is no Signature in the request.

            • 3. Re: Need sample config for XML Signature Validation and encryption
              Scott Lopez Newbie

              project_config.png

               

              do you have the jks file that are using in the same directory as the picketlink-sts.xml?  I've enclosed the structure used to create my war file in eclipse.