Skip to Content.
Sympa Menu

mace-opensaml-users - RE: verifying signature on saml assertions

Subject: OpenSAML user discussion

List archive

RE: verifying signature on saml assertions


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'Rakesh Aggarwal' <>,
  • Subject: RE: verifying signature on saml assertions
  • Date: Sat, 12 Apr 2003 17:51:28 -0400
  • Importance: Normal
  • Organization: The Ohio State University

>I am new to this group, so I apologize in advance if this question has been
>asked before. I could not find it in the archives. An earlier post seem to
>suggest that SAMLRequest object should be used while signing and verifying
>the assertion. But I am not sure how to generate assertions with this
>object. I am using SAMLAssertion object instead. Is that acceptatble?

Requests don't generate assertions. You have to build what you want to build,
and sign whatever you want to sign. If you want a
signed assertion, then you use SAMLAssertion, and SAMLResponse builds signed
responses.

At this point, embedding signed assertions in responses or signing while
embedded barely sort-of works, kind of, but not really. In
short, there are SAML issues and signature library problems that really make
this too unreliable.

SAML at this point only uses signing in the POST profile, for naked
responses, and that's about all that's reliable.

Once SAML 1.1 is ready, this should all be fixable.

>The contents of the Assertion object in the above 2 files look exactly the
>same, still the sig.checkSignatureValue(k) method fails while verifying the
>signature. I am using null key while verifying the signature.

They aren't close to the same. Your verify.xml file is full of extra
whitespace and indenting, which is not ignored in XML.

To use signatures at all, you have to sign the object and then generate the
XML with the toStream() method. To verify, you can't
change anything at all in that resulting data. One extra linefeed and you're
done. No pretty printing allowed, especially.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page