/**
* Validate the signature of a SAML2 Response and Assertion
*
* @param response SAML2 Response
* @return true, if signature is valid.
*/
private void validateSignature(Response response, Assertion assertion) throws SAMLSSOException {
if (SSOUtils.isAuthnResponseSigned(properties)) {
if (identityProvider.getCertificate() == null
|| identityProvider.getCertificate().isEmpty()) {
throw new SAMLSSOException(
"SAMLResponse signing is enabled, but IdP doesn't have a certificate");
}
if (response.getSignature() == null) {
throw new SAMLSSOException(
"SAMLResponse signing is enabled, but signature element "
+ "not found in SAML Response element.");
} else {
try {
X509Credential credential =
new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(response.getSignature());
} catch (ValidationException e) {
throw new SAMLSSOException("Signature validation failed for SAML Response", e);
}
}
}
if (SSOUtils.isAssertionSigningEnabled(properties)) {
if (identityProvider.getCertificate() == null
|| identityProvider.getCertificate().isEmpty()) {
throw new SAMLSSOException(
"SAMLAssertion signing is enabled, but IdP doesn't have a certificate");
}
if (assertion.getSignature() == null) {
throw new SAMLSSOException(
"SAMLAssertion signing is enabled, but signature element "
+ "not found in SAML Assertion element.");
} else {
try {
X509Credential credential =
new X509CredentialImpl(tenantDomain, identityProvider.getCertificate());
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(assertion.getSignature());
} catch (ValidationException e) {
throw new SAMLSSOException("Signature validation failed for SAML Assertion", e);
}
}
}
}
