Versions Compared

Old Version 13

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version 14

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Generate the JSON Web Signature (JWS) according to the specified format and content. Ensure that it includes the necessary claims, such as iss, exp, iat, version, cache_ttl, and entities, as defined in the specification.

Understanding the cache_ttl Claim

The cache_ttl claim is a critical component of the JWS. It defines the time-to-live duration in seconds for caching the data within the JWS. This duration governs how long the metadata can be cached before it needs to be refreshed by fetching updated data.

It is essential to understand the importance of the cache_ttl claim. It ensures that the information contained within the JWS remains fresh and accurate. Therefore, the metadata should be retrieved and updated within this specified cache TTL period.

Understanding the exp Claim

In addition to the cache_ttl claim, it's vital to understand the significance of the exp claim, short for "Expiration Time." The exp claim specifies the timestamp after which the data contained within the JWS is no longer considered valid. Beyond this timestamp, the data should not be considered reliable or usable.

The exp claim is particularly important when it's not possible to fetch updated data within the cache_ttl period. It safeguards against using outdated or potentially inaccurate information.

...

Sign the JWS using the recommended algorithm, ECDSA with P-256 and SHA-256 ("ES256"). Ensure that you include the required headers in the JWS, such as alg and x5t#S256, as specified in the specification.

...

  1. Validate the Digital Signature: To verify the authenticity of the metadata, use the alg (Algorithm) and x5t#S256 header claims in the JWS header.

    • x5t#S256 Claim:  This claim specifies the thumbprint of the X.509 certificate that corresponds to the signing key used for creating the JWS. To ensure trust and authenticity in the metadata exchange process, it is imperative that this thumbprint matches the thumbprint of the X.509 certificate contained within the SAML metadata.

      • Retrieve the Certificate: Begin by extracting the X.509 certificate from the SAML metadata. This certificate is found within the <ds:X509Certificate> element, which resides inside the <grie:GroupRepresentative> element.

      • Calculate the Thumbprint: Calculate the thumbprint of the retrieved X.509 certificate (see Understanding the x5t#S256 Header Claim).

      • Comparison: Compare the calculated thumbprint with the value of the x5t#S256 claim in the JWS header. If these thumbprints do not match, it indicates a potential security issue, and the metadata should not be trusted.

    • Validate the Signature: At this stage, the signature validation process should be carried out. While the exact implementation details depend on the programming language and libraries you're using, it typically involves the following steps:

      1. Retrieve the JWS signature from the metadata.

      2. Verify the signature using the public key associated with the certificate. The algorithm used for verification should match the one specified in the alg claim.

  2. Check the exp Claim: Verify the exp (Expiration Time) claim in the JWS payload. Ensure that the current timestamp is before the specified expiration time. If the data is past its expiration time, it should not be considered valid.

  3. Check the Issuer (iss) Claim: Verify that the iss (Issuer) claim in the JWS payload matches the expected issuer URI. This ensures that the metadata is coming from a trusted source.

  4. Validate the iat Claim: Ensure that the iat (Issued At) claim is a valid NumericDate representing the time when the data was issued.

...

  • Extract and use the information as needed.
  • Pay special attention to the cache_ttl and exp claims. The cache_ttl specifies the cache duration, while exp defines the expiration time of the data. Refresh the metadata before the cache_ttl expires or if exp is reached to maintain data accuracy.

...

To facilitate the creation and validation of JWS in compliance with the Group Representative Information Exchange specification, you can leverage the example code available on GitHub. This code provides a practical reference for implementing the JWS generation and validation process.

...