OpenSAML user discussion

[Scott Cantor <>]

> I did a string compare on the "toString()" values of the two 
> SAMLResponse objects and they checkout fine. It seems to only 
> fail if I've got an AttributeStatement in the response. 
> Without the AttributeStatement everything validates fine.

There are some issues with signing assertions inside responses, but that's 
not what you're trying here, so this must be a new bug.

> Is it possible that either the validation or the check isn't 
> including the AttributeStatement in the digest? If I wanted 
> to sign the document myself would I use "toDOM" to get the 
> Document reference?

That would be one way to do it, yes. toDOM() just gets you the DOM. The whole 
mess gets a little complicated when you have
interactions between Documents, but it is possible to create a signature 
externally using a DOM Document, and pass that in to
toDOM() to insure that the document is used uniformly. A bit messy though, I 
admit.

Let me use your sample code to author a new Junit test and I'll see if I can 
reproduce it.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--