OpenSAML user discussion

[Scott Cantor <>]

>I am new to this group, so I apologize in advance if this question has been
>asked before. I could not find it in the archives. An earlier post seem to
>suggest that SAMLRequest object should be used while signing and verifying
>the assertion. But I am not sure how to generate assertions with this
>object. I am using SAMLAssertion object instead. Is that acceptatble?

Requests don't generate assertions. You have to build what you want to build, 
and sign whatever you want to sign. If you want a
signed assertion, then you use SAMLAssertion, and SAMLResponse builds signed 
responses.

At this point, embedding signed assertions in responses or signing while 
embedded barely sort-of works, kind of, but not really. In
short, there are SAML issues and signature library problems that really make 
this too unreliable.

SAML at this point only uses signing in the POST profile, for naked 
responses, and that's about all that's reliable.

Once SAML 1.1 is ready, this should all be fixable.

>The contents of the Assertion object in the above 2 files look exactly the
>same, still the sig.checkSignatureValue(k) method fails while verifying the
>signature. I am using null key while verifying the signature.

They aren't close to the same. Your verify.xml file is full of extra 
whitespace and indenting, which is not ignored in XML.

To use signatures at all, you have to sign the object and then generate the 
XML with the toStream() method. To verify, you can't
change anything at all in that resulting data. One extra linefeed and you're 
done. No pretty printing allowed, especially.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--