The OpenSAML V2 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
OSTwoUserManJavaTrust
Trust Engines
Trust engines are used to validate and establish trust of untrusted tokens, such as Credential
and Signature
instances. They will typically be based on resolving trust material from a trusted information resolver of some kind.
Using Trust Engines
Trust Engines must implement the org.opensaml.xml.security.trust.TrustEngine
interface. Particular implementations, some of which are described in the next section, may require some information at construction time, but once you have constructed an instance, the usage will be as described here. A given trust engine implementation will be parameterized with the type of token it processes, such as a Credential
or Signature
.
The main trust engine interface method is validate(TokenType token, CriteriaSet trustBasisCriteria)
, which has a boolean
return type. If true
, the token was valid and trusted; if false
, it was either invalid or could not be established as trusted. An exception org.opensaml.xml.security.SecurityException
is thrown if there is a problem evaluating the token.
The org.opensaml.xml.security.CriteriaSet
parameter specifies the criteria for validating the token and establishing trust. This criteria set will contain one or more instances of org.opensaml.xml.security.Criteria
. The mandatory and optional types of criteria which can be supplied in the set are specific to a particular trust engine implementation. In turn, these are therefore often typically directly related to (and often in fact wholly defined by) the requirements of an underlying trusted information resolver, such as org.opensaml.xml.security.credential.CredentialResolver
and org.opensaml.xml.security.x509.PKIXValidationInformationResolver
.
Typical examples of Criteria
include:
org.opensaml.xml.security.criteria.EntityIDCriteria
- the entity which owns or generated the token that is being processedorg.opensaml.xml.security.criteria.UsageCriteria
- the usage specifier for a trusted credentialorg.opensaml.security.MetadataCriteria
- the SAML 2 metadata role and protocol associated with an entity whose token is being processed.
Other typical criteria may be found in package org.opensaml.xml.security.criteria
.
Verifying Credentials
todo
Verifying XML Signatures
todo