mace-opensaml-users - RE: verifying signature on saml assertions
Subject: OpenSAML user discussion
List archive
- From: mochamaster <>
- To: Scott Cantor <>,
- Subject: RE: verifying signature on saml assertions
- Date: Wed, 16 Apr 2003 12:32:57 -0700 (PDT)
though it's a fluke, it works, and it correctly
envelopes the signature within the assertion element
instead of the parent response element.
however, i was successfull in signing and verifying
response elements subject to serialization and http
protocol transfer.
please clarify when individual assertion signing
functionality will be available. 1.0, 1.1? or is it
avail but buggy and not worth fixing because of great
improvements in 1.1?
--- Scott Cantor
<>
wrote:
> > SAMLResponse samlResponse = ...
> > Iterator iter = samlResponse.getAssertions();
> > SAMLAssertion samlAssertion = (SAMLAssertion)
> > iter.next();
> > samlAssertion.sign(..DSA..,privateKey,certs,true);
> > samlAssertion.verify(true); // this works
>
> If this works, it's a fluke and you're not signing
> what you think you are. You can't sign an assertion
> that's inside a response with
> that simple flag because the signature will cover
> the whole response. And the non-simple mode doesn't
> really work most of the time.
> So, the options are limited.
>
> SAML 1.0 only uses signing on responses in the POST
> profile. Nothing else is easily supportable except
> other use cases where the
> signed content is the only thing in the document.
>
> Again, I suggest waiting for a new version based on
> SAML 1.1. This is mostly a hopeless exercise at this
> point.
>
> I'll document whatever the state of things is when
> we do the next release so everyone knows what will
> and won't work.
>
> -- Scott
>
>
>
__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
---------------------------------------------------mace-opensaml-users--
- verifying signature on saml assertions, Rakesh Aggarwal, 04/11/2003
- Re: verifying signature on saml assertions, mochamaster, 04/11/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/12/2003
- <Possible follow-up(s)>
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/14/2003
- RE: verifying signature on saml assertions, mochamaster, 04/14/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, mochamaster, 04/15/2003
- RE: verifying signature on saml assertions, mochamaster, 04/15/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/16/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/16/2003
- RE: verifying signature on saml assertions, mochamaster, 04/16/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/16/2003
- RE: verifying signature on saml assertions, mochamaster, 04/16/2003
- RE: verifying signature on saml assertions, mochamaster, 04/15/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, mochamaster, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/14/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/14/2003
- RE: verifying signature on saml assertions, Scott Cantor, 04/14/2003
- RE: verifying signature on saml assertions, Rakesh Aggarwal, 04/16/2003
Archive powered by MHonArc 2.6.16.