mace-opensaml-users - RE: Signature Problems with Requests/Responses
Subject: OpenSAML user discussion
List archive
- From: Scott Cantor <>
- To: 'Terry Cumming' <>,
- Subject: RE: Signature Problems with Requests/Responses
- Date: Mon, 31 Mar 2003 11:13:53 -0500
- Importance: Normal
- Organization: The Ohio State University
> However, in my real code, I still get the same problem with
> the bad signature value (trying to verify signature of
> SAMLRequest received via SAMLSOAPBinding). I did find a
> workaround however. If I simply streamed the SAMLRequest
> object out then immediately created a new SAMLRequest with
> the constructor taking that stream as input, then the verify
> is successful.
I finally remembered why last night. If you want to verify a signed fragment
inside of a SOAP message like that, you can't use the
"simple" transform profile that my library uses when you pass true into the
sign method. You need to tell it to use the full XPath
syntax to isolate the Request element from the SOAP message. If you do that,
the signature should verify. Try passing false into the
sign call.
Your trick works, because once you stream out the Request, it's then
stand-alone, and will verify just like a Response does in the
POST profile.
The only place in SAML where signing is currently dictated is the POST
profile, not the SOAP binding. And there, just using true
will work fine.
All of this is in flux as I debug the code, figure out what the right signing
strategies are, and as SAML evolves toward 1.1 with an
apparent intent to add ID attributes that will facilitate signing. This is
the aspect of the API that is likely to get changed.
> The next problem occurs when I attempt to sign the
> SAMLResponse (containing a single unsigned assertion to go
> back to the requestor). The
> SAMLSOAPBindind.respond() operation fails with:
I'll try and run your code this week and see what the bug is. Make sure that
you are consistent in the Document you use to create
the various objects when you call toDOM() (if you actually call it youself).
The bug is due to a mismatch in documents.
-- Scott
---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
---------------------------------------------------mace-opensaml-users--
- Signature Problems with Requests/Responses, Terry Cumming, 03/28/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/28/2003
- <Possible follow-up(s)>
- Signature Problems with Requests/Responses, Terry Cumming, 03/28/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/31/2003
- RE: Signature Problems with Requests/Responses, Terry Cumming, 03/31/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/31/2003
- RE: Signature Problems with Requests/Responses, Terry Cumming, 03/31/2003
- RE: Signature Problems with Requests/Responses, Scott Cantor, 03/31/2003
Archive powered by MHonArc 2.6.16.