I have a controller which takes the base64 encoded SAML response as the body, I want to check whether my SAML response has been tampered with. I have public key which i got from the metadata file, is this the right way to Extract the public key from the metadata and convert it to X509Certificate ?? also how do i validate the signature and the public key ?? any blog or anything related would be much appreciated. I'm using openSAML v2.5.1-1
@PostMapping("/saml")
public void samlValidation(@RequestBody String samlBody) throws Exception{
// Decode the SAML response and parse the assertion
Response response = (Response) unmarshall(samlBody);
// Extract the signature from the response
Signature signature = response.getSignature();
// Extract the public key from the metadata and convert it to X509Certificate
java.security.cert.X509Certificate cert = SecurityHelper.buildJavaX509Cert(publicKey);
}