OpenSAML user discussion

[mochamaster <>]

though it's a fluke, it works, and it correctly
envelopes the signature within the assertion element
instead of the parent response element. 

however, i was successfull in signing and verifying
response elements subject to serialization and http
protocol transfer.

please clarify when individual assertion signing
functionality will be available. 1.0, 1.1? or is it
avail but buggy and not worth fixing because of great
improvements in 1.1?

--- Scott Cantor 
<>
 wrote:
> > SAMLResponse samlResponse = ...
> > Iterator iter = samlResponse.getAssertions();
> > SAMLAssertion samlAssertion = (SAMLAssertion)
> > iter.next();
> > samlAssertion.sign(..DSA..,privateKey,certs,true);
> > samlAssertion.verify(true); // this works
> 
> If this works, it's a fluke and you're not signing
> what you think you are. You can't sign an assertion
> that's inside a response with
> that simple flag because the signature will cover
> the whole response. And the non-simple mode doesn't
> really work most of the time.
> So, the options are limited.
> 
> SAML 1.0 only uses signing on responses in the POST
> profile. Nothing else is easily supportable except
> other use cases where the
> signed content is the only thing in the document.
> 
> Again, I suggest waiting for a new version based on
> SAML 1.1. This is mostly a hopeless exercise at this
> point.
> 
> I'll document whatever the state of things is when
> we do the next release so everyone knows what will
> and won't work.
> 
> -- Scott
> 
>
> 


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--