Skip to Content.
Sympa Menu

mace-opensaml-users - RE: verifying signature on saml assertions

Subject: OpenSAML user discussion

List archive

RE: verifying signature on saml assertions


Chronological Thread 
  • From: Scott Cantor <>
  • To: ,
  • Subject: RE: verifying signature on saml assertions
  • Date: Wed, 16 Apr 2003 15:46:02 -0400
  • Importance: Normal
  • Organization: The Ohio State University

> though it's a fluke, it works, and it correctly
> envelopes the signature within the assertion element
> instead of the parent response element.

Yes, but what you end up signing is the response, not the assertion To prove
this, just detach the Assertion from the Response by
calling toStream on it and reparsing it in alone. You'll get a verify error.

Where it's positioned in the DOM has nothing to do with it. The Reference URI
is "", which means the doc root.

> however, i was successfull in signing and verifying
> response elements subject to serialization and http
> protocol transfer.

Yes, that's what I know works, generally speaking. So should requests and
assertions, but I haven't explicitly done a lot of testing
of them. But you can't wrap them in SOAP or each other or whatever, because
the non-simple signing approach I'm using isn't working
in many cases.

> please clarify when individual assertion signing
> functionality will be available. 1.0, 1.1? or is it
> avail but buggy and not worth fixing because of great
> improvements in 1.1?

Because of all the support problems, I'm inclined to ship 0.9 of OpenSAML as
either:

a) a SAML 1.0 implementation with schema changes from the 1.1 proposed spec
to permit proper signing

b) a prelim. SAML 1.1 implementation

About the only difference between those two would be that it would send a 1
in the MinorVersion attribute instead of a zero.

There's another issue involving what the allowed message ID values could be
that could affect interop with commercial SAML products,
but this still being discussed in the SSTC.

I was originally going to wait for 1.1 to be out before fixing the signing
once and for all, but I'm getting sick of this mess.
There are issues with xmlsec in both languages that make it impossible for me
to fully fix it within the limits of 1.0 right now.

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--




Archive powered by MHonArc 2.6.16.

Top of Page