OpenSAML and XML signatures: Handling intermediate certificates - how?

Morgan, Andrew Jason morgan at oregonstate.edu
Mon Jul 29 13:02:03 EDT 2019 

Graham,

Hopefully I'm understanding your question correctly...

The certificate in SAML metadata is just a convenient way to convey the public key.  The certificate itself is irrelevant.  Some relying parties will perform TLS validation on the certificate though, so they need to be configured to trust your certificate.  In general, certificates in SAML metadata should be long-lived and self-signed.  See SDP-MD05 in the SAML V2.0 Interoperability Deployment Profile (https://kantarainitiative.github.io/SAMLprofiles/saml2int.html#_metadata_and_trust_management).

Thanks,
Andy

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Graham Leggett <minfrin at sharp.fm>
Sent: Monday, July 29, 2019 9:20 AM
To: Shib Users <users at shibboleth.net>
Subject: OpenSAML and XML signatures: Handling intermediate certificates - how?

Hi all,

I am currently trying to get pac4j-saml (which integrates with java-opensaml) to interoperate with ADFS using the KeyStoreCredentialResolver.

While the KeyStore (a P12 file in this case) contains intermediate certificates, only the first certificate in the store is added to the SAML2 metadata:

https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-security-impl/src/main/java/org/opensaml/security/credential/impl/KeyStoreCredentialResolver.java;h=77b2a7081e8748bc2c867a7b39a4ae0a4987b756;hb=HEAD#l229

ADFS complains that the certificate chain is not trusted, which is 100% true - the intermediate certs are missing, and so there is no way ADFS could verify our certificate.

My question is - what changes do I need to make to read intermediate certificates from the KeyStore and add these intermediate certificates to the SAML2 metadata endpoint?

Is the metadata endpoint supposed to carry the leaf certificate and the intermediates, or just the leaf certificate and have the intermediates in the actual SAML messages, or should it contain the root certificate to be trusted?

I've drawn a blank reading the specs, as they refer to XMLSIG but in a general sense, and I need the specifics.

Regards,
Graham
—

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190729/6580d48b/attachment.html>

More information about the users mailing list