Spring SAML 2.0
https://stackoverflow.com/questions/10179243
-
01-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I recently inherited a project that is using Spring SAML 2.0 but the code does not seem to be validating X509 certificate. I can see that it is validating the the time stamps and the signature values but not the cert itself. I'm having some trouble finding documentation that clearly explains the process for validating the cert, does anyone here either have a location where I can find the information I seek or a have the ability to explain it.
Solução
The SAML 2 specification just states that the Service Provider (i.e. consuming application) should validate the signature, it does not require the SP to perform any validation on the certificate itself i.e. no check is required for the certificate expiration or the validity of the certificate chain etc. In fact the SAML spec recommends the use of long lived self-signed certificates, short lived certificates or certificates that are signed by a CA are discouraged. For more information see this article.
This explains why Spring SAML (and most SAML2 implementations) will not perform validation on the x509 certificate
