Can the Gateway validate x509 certificate with its signature against a certificate in the store
Article ID: 278825
Updated On:
Products
Issue/Introduction
There's a requirement to validate the signature of an incoming SOAP AuthN request against an x509 certificate in the certificate store. The gateway is using the internal identity provider.
Environment
API Gateway 10.x, 11.x
Resolution
When validating a signed SAML AuthN Request our code parses the KeyInfo element (specification), if you want to bypass the Keynfo from the incoming request the gateway can validate the signature against x509 certificate that has been load into the gateway certificate store
- Install the x509 certificate using policy manager - Certificate manager, then add the certificate and check Certificate is a Trust Anchor”
- For the Incoming Authn request store the SOAP request in context variable - inthe policy
- Add the assertion “(Non-SOAP) Verify XML Element Assertion” to the Policy Development window.
- Right click on the assertions, then “Select Message Target'' Check “Other Context Variable” enter the context variable used to save the Authn Request ( i.e. RequestToGW from the screen capture)
- Select the certificate in the Signature Settings
- MUST check “Always override KeyInfo in signature element with selected certificate”
.
Additional Information
Always override KeyInfo in signature element with selected certificate - Select this check box to always use the selected certificate, regardless of whether the <ds:keyInfo> element specifies a certificate
Clear this check box to use the selected certificate only if the <ds:keyInfo> element does not specify a certificate. If it does, it will be used instead of the selected certificate. This setting is the default.
Feedback
