Trust Engines

Trust Engines check that a particular entity's credential is valid and that the entity is acting in accordance with a given role as defined by some SAML 2 Metadata. For example, a trust engine can verify that a service provider, attempting to perform an authentication request, is in fact the service provider it claims to be and that it is interacting with the !IdP in the appropriate !IdP SSO role. Thus a Trust Engine provides both an authentication and authorization mechanismengines are used to validate and establish trust of untrusted tokens, such as Credential and Signature instances. They will typically be based on resolving trust material from a trusted information resolver of some kind.

Using Trust Engines

Trust Engines must implement the org.opensaml.xml.security.trust.TrustEngine interface which provides two methods described below. Particular implementations, some of which are described in the next section, may require some information at construction time, but once you have constructed an instance, the usage will be as described here.

...

The main trust engine interface method is validate(!EntityCredential, !RoleDescriptor) is used to validate an entity's credential against a given role for a given entity. For example, if a SAML-enabled client is speaking to an identity provider over HTTPS it may present a client certificate as its credential to the !IdP. In order to verify that the client is trusted to operate in a particular capacity, the !IdP could create an org.opensaml.security.X509EntityCredential with the client's information and pass in the role that the client SHOULD be acting as. If the method returns true, the client's credentials have been authenticated and it is acting in an appropriate role and thus the !IdP may trust it and process the request.

Verifying Message Signatures

The method validate(!SignableSAMLObject, !RoleDescriptor) is used to validate the digital signature on a message and assure that the client that sent the message is acting appropriately (as described above).TokenType token, CriteriaSet trustBasisCriteria). A given trust engine implementation will be parameterized with the type of token it processes, such as a Credential or Signature.

The CriteriaSet parameter specifies the criteria for trust establishing trust. This will typically be criteria that will be passed to an underlying resolver of trusted information. This criteria set will contain one or more instances of org.opensaml.xml.security.Criteria. Typical examples of Criteria include:

• org.opensaml.xml.security.criteria.EntityIDCriteria - the entity which owns or generated the token that is being processed
• org.opensaml.xml.security.criteria.UsageCriteria - the usage specifier for a trusted credential
• org.opensaml.security.MetadataCriteria - the SAML 2 metadata role and protocol associated with an entity whose token is being processed.

Other typical criteria may be found in package org.opensaml.xml.security.criteria.

Verifying Credentials

todo

Verifying XML Signatures

todo