For any who are interested, it looks like I've solved this particular issue. I had to retrieve the X.509 certificate from the Signature, build a SAMLKeyInfo object, then use AssertionWrapper's verify to validate the signature. I also needed a few extra packages in my pom. Here's some code, minus a bunch of error checking:
AssertionWrapper assertion = new AssertionWrapper(token.getToken()); Signature sig = assertion.getSignature(); KeyInfo ki = sig.getKeyInfo(); X509Certificate cert = KeyInfoHelper.getCertificates(ki).get(0); SAMLKeyInfo samlKI = new SAMLKeyInfo(new X509Certificate[]{cert}); assertion.verifySignature(samlKI); Obviously, this assumes there's always an X.509 cert in the Signature, which in my case is always true. If not, you'd have to retrieve the cert from somewhere else. I also needed a few additional pom dependencies: <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk16</artifactId> <version>1.45</version> </dependency> <dependency> <groupId>ca.juliusdavies</groupId> <artifactId>not-yet-commons-ssl</artifactId> <version>0.3.9</version> </dependency> I'm not 100% sure I needed bouncy castle, but I was addressing some warnings that popped up in my log with it, and including it seemed to make it happy. OpenSAML 2 requires org.apache.commons.ssl.TrustMaterial, which is in the not-yet-commons-ssl package - which was hard (for me) to figure out for some reason. In any case, problem solved. Hopefully this info helps someone else out. Stephen W. Chappell -----Original Message----- From: Chappell, Stephen CTR (FAA) Sent: Monday, September 29, 2014 2:38 PM To: users@cxf.apache.org Subject: Verifying signature on AssertionWrapper In the legacy code that I am porting up to CXF 2.7, there is some code that gets a SAML assertion from an STS and verifies the signature: SecurityToken token = this.stsClient.requestSecurityToken(); SAMLAssertion assertion = new SAMLAssertion(token.getToken()); assertion.verify(); OpenSAML 2 no longer has a verify() method, so I thought I would replace it with something like: SecurityToken token = this.stsClient.requestSecurityToken(); AssertionWrapper assertion = new AssertionWrapper(token.getToken()); assertion.verifySignature(assertion.getSignatureKeyInfo()); The problem is, the getSignatureKeyInfo() method returns null. The signature block out of the assertion looks like this: <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> So, there is an X509 credential there as part of the signature, I just can't seem to get at it. Trying to access the signing credential via the OpenSAML Signature object had the same problem. So it seems obvious that I'm missing something somewhere along the line here, but I can't figure out what. Can someone point me in the right direction? Thanx, Stephen W. Chappell