OpenSAML user discussion

[Scott Cantor <>]

> Hi am facing a similar problem using SAML and XML signature.
> My scenario is little differrent. First an unsigned saml 
> assertions are inserted to the SOAP envelope. Later through a 
> request handler the whole envelope is signed useing RSA 
> algorithm.

That's pretty vague, and if the signature is not a SAML sig, then you're
pretty much out of OpenSAML's space at that point.

> At the receiving end while tried to verify it, the 
> original digest and the recalculated digests are getting 
> differrent. So the signature verification is getting failed. 
> But if the original soap message doesn't contain the saml 
> assertions verification is passing.. Do we have to use any 
> special canonicalization method while signing?
> or the the saml assertions has to be signed alone? 

The answer is yes, but, sort of, sure, maybe, always. Using an arbitrary XML
serialization process at one or both ends is almost sure to break
signatures.

Generally, you should serialize with a real c14n algorithm, to avoid any
formatting. I do that in the Java SAML code, but you're not serializing with
my code, you're using some SOAP thingy that could be doing anything.

-- Scott