OpenSAML and XML signatures: Handling intermediate certificates - how?
minfrin at sharp.fm
Mon Jul 29 12:20:40 EDT 2019
I am currently trying to get pac4j-saml (which integrates with java-opensaml) to interoperate with ADFS using the KeyStoreCredentialResolver.
While the KeyStore (a P12 file in this case) contains intermediate certificates, only the first certificate in the store is added to the SAML2 metadata:
ADFS complains that the certificate chain is not trusted, which is 100% true - the intermediate certs are missing, and so there is no way ADFS could verify our certificate.
My question is - what changes do I need to make to read intermediate certificates from the KeyStore and add these intermediate certificates to the SAML2 metadata endpoint?
Is the metadata endpoint supposed to carry the leaf certificate and the intermediates, or just the leaf certificate and have the intermediates in the actual SAML messages, or should it contain the root certificate to be trusted?
I've drawn a blank reading the specs, as they refer to XMLSIG but in a general sense, and I need the specifics.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3260 bytes
Desc: not available
More information about the users