How pkix profile works in Spring Security SAML

0
votes

I was reading the spring security saml doc site: http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#configuration-security-profiles-pkix

I am just having a hard time to understand how the pkix profile works.

From my understanding, when idp sends back saml response, it will sign the response to show the validity of the message.

In metaiop, the SP will use the key from idp's metadata to verfiy signature on response.

Pkix seems like an extension of metaiop, it will do metaiop's check and also this:

All keys specified in trustedKeys set of extended metadata of a remote entity, or all keys available in the key store when the property is null (default value)

I just don't understand the above statement, what is the key store referred to in here? the local keystore?

I hope someone can clearify for me.

1
samlsaml-2.0spring-saml

1 Answers

1
votes

Keystore referenced in the documentation is the samlKeystore.jks of the sample application.

While MetaIOP needs to have the exact version of the certificate which will be used for signatures, PKIX uses verification based on trusted certification authorities (just like e.g. web browsers do) - which means you don't need to have the exact certificate used for signature in advance - as long as it's issued by one of the CAs you trust. PKIX also verifies e.g. certificate validity period (and other checks in certification path validation of RFC 5280 - https://en.wikipedia.org/wiki/Certification_path_validation_algorithm). Those are the key differences.