Skip to Content.
Sympa Menu

mace-opensaml-users - RE: verifying signature on saml assertions

Subject: OpenSAML user discussion

List archive

RE: verifying signature on saml assertions


Chronological Thread 
  • From: "Rakesh Aggarwal" <>
  • To: "Scott Cantor" <>, <>
  • Cc: "Shamik Sharma" <>, "Mike McEvoy" <>
  • Subject: RE: verifying signature on saml assertions
  • Date: Mon, 14 Apr 2003 12:46:55 -0700


Thanks for responding to my earlier post.

I am building using the SAMLAssertion object and then signing it. Then I
convert the assertion to a Node using the toDOM() method, and insert it
in a SOAP envelope using the SOAPHeaderElement object.

While verifying it I get the SOAPHeaderElement from the SOAPEnvelope,
and then construct a SAMLAssertion out of it. I cast it to a
SAMLSignedObject and then call verify() on it. At this point, the
verify() fails due to mismatch in signature values.

Sign() and verify() succeeds if done in the same invocation path for
testing purposes. I had to upgrade my xalan and related jars from 2.2.x
to 2.4.x. But it still fails across multiple invocations, when
serializing and deserializing of saml objects is involved.

I am going to check if the extra newline are coming in while serializing
and deserializing saml objects. Another user on this discussion-group
has reported a similar problem while serializing and deserializing saml
objects over http. Please let me know if someone has found a solution to
this problem.

Thanks.

-Rakesh


-----Original Message-----
From: Scott Cantor
[mailto:]

Sent: Saturday, April 12, 2003 2:51 PM
To: Rakesh Aggarwal;

Subject: RE: verifying signature on saml assertions

>I am new to this group, so I apologize in advance if this question has
been
>asked before. I could not find it in the archives. An earlier post seem
to
>suggest that SAMLRequest object should be used while signing and
verifying
>the assertion. But I am not sure how to generate assertions with this
>object. I am using SAMLAssertion object instead. Is that acceptatble?

Requests don't generate assertions. You have to build what you want to
build, and sign whatever you want to sign. If you want a
signed assertion, then you use SAMLAssertion, and SAMLResponse builds
signed responses.

At this point, embedding signed assertions in responses or signing while
embedded barely sort-of works, kind of, but not really. In
short, there are SAML issues and signature library problems that really
make this too unreliable.

SAML at this point only uses signing in the POST profile, for naked
responses, and that's about all that's reliable.

Once SAML 1.1 is ready, this should all be fixable.

>The contents of the Assertion object in the above 2 files look exactly
the
>same, still the sig.checkSignatureValue(k) method fails while verifying
the
>signature. I am using null key while verifying the signature.

They aren't close to the same. Your verify.xml file is full of extra
whitespace and indenting, which is not ignored in XML.

To use signatures at all, you have to sign the object and then generate
the XML with the toStream() method. To verify, you can't
change anything at all in that resulting data. One extra linefeed and
you're done. No pretty printing allowed, especially.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page