OpenSAML user discussion

["Rakesh Aggarwal" <>]

For me, the signing and verification of SAML worked after setting the
prettyPrint property to false in setPrettyPrint() method of
SerializationContextImpl.java of axis. Due to this, the white-space
problem while serializing and deserializing SOAP message is
circumvented.

Apparently, the above prettyPrint property is not configurable...

Hope this helps

-Rakesh


-----Original Message-----
From: Scott Cantor 
[mailto:]
 
Sent: Wednesday, April 16, 2003 12:46 PM
To: 
;
 

Subject: RE: verifying signature on saml assertions

> though it's a fluke, it works, and it correctly
> envelopes the signature within the assertion element
> instead of the parent response element. 

Yes, but what you end up signing is the response, not the assertion To
prove this, just detach the Assertion from the Response by
calling toStream on it and reparsing it in alone. You'll get a verify
error.

Where it's positioned in the DOM has nothing to do with it. The
Reference URI is "", which means the doc root.

> however, i was successfull in signing and verifying
> response elements subject to serialization and http
> protocol transfer.

Yes, that's what I know works, generally speaking. So should requests
and assertions, but I haven't explicitly done a lot of testing
of them. But you can't wrap them in SOAP or each other or whatever,
because the non-simple signing approach I'm using isn't working
in many cases.

> please clarify when individual assertion signing
> functionality will be available. 1.0, 1.1? or is it
> avail but buggy and not worth fixing because of great 
> improvements in 1.1?

Because of all the support problems, I'm inclined to ship 0.9 of
OpenSAML as either:

a) a SAML 1.0 implementation with schema changes from the 1.1 proposed
spec to permit proper signing

b) a prelim. SAML 1.1 implementation

About the only difference between those two would be that it would send
a 1 in the MinorVersion attribute instead of a zero.

There's another issue involving what the allowed message ID values could
be that could affect interop with commercial SAML products,
but this still being discussed in the SSTC.

I was originally going to wait for 1.1 to be out before fixing the
signing once and for all, but I'm getting sick of this mess.
There are issues with xmlsec in both languages that make it impossible
for me to fully fix it within the limits of 1.0 right now.

-- Scott


---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--