Validate IDP initiated SAML2.0 Response

Question

SAML experts please help!!!!

Am very new to SAML and JSP. I wanna validate a IDP(identity provider) initiated SAML response token using Opensaml library in java(Environment linux,Tomcat6.0) and retrieve the Attribute information sent such as userid,username,email.The SAML response is not encrypted and i have the idp's trust certificate installed in my java keystore.The SAML token profile is "web browser SSO" and it uses HTTP-POST Binding.The certificate has a public key in it.Do i need a private key to validate?What are the steps to be done for a succesful validation?Just a digital signature validation is enough to trust the source?Should i do profile validation or something else? Below given is the SAML Response i will be receiving from the IDP. Please let me know if you need any more information?Sorry if i did not give enough information.Please help me...Thanks in advance.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="XYZ" Version="2.0" IssueInstant="2013-07-10T16:43:54Z" Destination="http://www.testsp.com">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.testidp.com:8080/opensso</saml:Issuer> 
- <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> 
  </samlp:Status>
- <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xyz" IssueInstant="2013-07-10T16:43:51Z" Version="2.0">
  <saml:Issuer>http://www.testidp.com:8080/opensso</saml:Issuer> 
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
- <ds:Reference URI="#xyz">
- <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
  <ds:DigestValue>...hdfb3454jh545dfbj545423df....=</ds:DigestValue> 
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>..................hsdgysgdyyusgfdfb98738e43hjrg874y474h7y8r............=</ds:SignatureValue> 
- <ds:KeyInfo>
- <ds:X509Data>
  <ds:X509Certificate>............./KPm0qLP8vCOhyI76AUE6jL NFeTlcAe3B6hOdfKCiu+EtHeZC2i/8jf1rHDNPey4TS1MQj/.......
</ds:X509Certificate> 
  </ds:X509Data>
  </ds:KeyInfo>
  </ds:Signature>
- <saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://www.testidp.com:8080/opensso" SPNameQualifier="http://www.testsp.com">....Zeq8NhJKRKDXUwx67ytuynwj4n...</saml:NameID> 
- <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <saml:SubjectConfirmationData NotOnOrAfter="2013-07-10T16:53:51Z" Recipient="http://www.testsaml.com/tespsamlmodule" /> 
  </saml:SubjectConfirmation>
  </saml:Subject>
- <saml:Conditions NotBefore="2013-07-10T16:33:51Z" NotOnOrAfter="2013-07-10T16:53:51Z">
- <saml:AudienceRestriction>
  <saml:Audience>http://www.testsaml.com/tespsamlmodule</saml:Audience> 
  </saml:AudienceRestriction>
  </saml:Conditions>
- <saml:AuthnStatement AuthnInstant="2013-07-10T16:36:35Z" SessionIndex="......erer54t54y45y75666y65y65y....">
- <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> 
  </saml:AuthnContext>
  </saml:AuthnStatement>
- <saml:AttributeStatement>
- <saml:Attribute Name="UID">
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ab123</saml:AttributeValue> 
  </saml:Attribute>
- <saml:Attribute Name="uname">
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">robert</saml:AttributeValue> 
  </saml:Attribute>
- <saml:Attribute Name="EmailAddress">
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">robert@example.com</saml:AttributeValue> 
  </saml:Attribute>
  </saml:AttributeStatement>
  </saml:Assertion>
  </samlp:Response>

Answer 1

You need to validate the responce according to the SAML spec. There are some functionaliy for doing this in OpenSAML but i seems the safest bet is to write your own validation code. see. http://marc.info/?t=137354098500007&r=1&w=2

You must also validate signature. As with all signature verification you use the public key. Here is some I wrote on my blog about OpenSAML signatur verification. https://blog.samlsecurity.com/2012/11/verifying-signatures-with-opensaml.html

I have more on signing and encryption using OpenSAML in my book, A Guide to OpenSAML

Answer 2

Here are the steps i followed to implement Single sign on feature on my WEB App for IDP Initiated SAML Response.

Pre requisite:

1. Import all the required and dependent jar files for opensaml java library.
2. Upload the IDP's digital certificate to your java keystore.
3. Create a JSP file that is responsible for SAML Authentication on your server.
4. Do different types of validation on received SAML Message to ensure source(siganture validation),Message integrity(Reference validation) and assertion validation(Check for assertion validity time).

Code: This blog gives a great example which will help you to construct your own SAML SP installation.

http://mylifewithjava.blogspot.no/2012/11/verifying-signatures-with-opensaml.html

Download all the required jar files from their archieve which will save you a lot of time in downloading dependent version of jars. http://www.capcourse.com/Library/OpenSAML