Skip to Content.
Sympa Menu

mace-opensaml-users - RE: Re: Signature validation fails after parsing SAML Response

Subject: OpenSAML user discussion

List archive

RE: Re: Signature validation fails after parsing SAML Response


Chronological Thread 
  • From:
  • To: Scott Cantor <>
  • Cc:
  • Subject: RE: Re: Signature validation fails after parsing SAML Response
  • Date: Sat, 20 Dec 2003 12:25:34 -0500

Hi Scott,

I got another SAML XML Signature validation problem. SAMLAssertion or
SAMLSignedObject throws the following exceptions:

org.apache.xml.security.signature.MissingResourceFailureException: The
Reference
for URI #ce39e00ec0c14829d45e070346bdc2c4 has no XMLSignatureInput
org.apache.xml.security.signature.ReferenceNotInitializedException: input node
set contains no nodes

If I verify the assertion right after it is signed, there is no problem.
However, after I pass it over the wire thru a SOAP message. It cannot be
verified due to the above exceptions. The SOAP message signature has be
verified
without any problem. I'm sure the reference URI #ce... is exactly the
AssertionID.

Thanks and happy holidays!

Liang


Quoting Scott Cantor
<>:

> > Hi am facing a similar problem using SAML and XML signature.
> > My scenario is little differrent. First an unsigned saml
> > assertions are inserted to the SOAP envelope. Later through a
> > request handler the whole envelope is signed useing RSA
> > algorithm.
>
> That's pretty vague, and if the signature is not a SAML sig, then you're
> pretty much out of OpenSAML's space at that point.
>
> > At the receiving end while tried to verify it, the
> > original digest and the recalculated digests are getting
> > differrent. So the signature verification is getting failed.
> > But if the original soap message doesn't contain the saml
> > assertions verification is passing.. Do we have to use any
> > special canonicalization method while signing?
> > or the the saml assertions has to be signed alone?
>
> The answer is yes, but, sort of, sure, maybe, always. Using an arbitrary XML
> serialization process at one or both ends is almost sure to break
> signatures.
>
> Generally, you should serialize with a real c14n algorithm, to avoid any
> formatting. I do that in the Java SAML code, but you're not serializing with
> my code, you're using some SOAP thingy that could be doing anything.
>
> -- Scott
>
>
>





Archive powered by MHonArc 2.6.16.

Top of Page