OpenSAML user discussion

Hi Scott,

I got another SAML XML Signature validation problem. SAMLAssertion or
SAMLSignedObject throws the following exceptions:

org.apache.xml.security.signature.MissingResourceFailureException: The 
Reference
for URI #ce39e00ec0c14829d45e070346bdc2c4 has no XMLSignatureInput
org.apache.xml.security.signature.ReferenceNotInitializedException: input node
set contains no nodes

If I verify the assertion right after it is signed, there is no problem.
However, after I pass it over the wire thru a SOAP message. It cannot be
verified due to the above exceptions. The SOAP message signature has be 
verified
without any problem. I'm sure the reference URI #ce... is exactly the 
AssertionID.

Thanks and happy holidays!

Liang


Quoting Scott Cantor 
<>:

> > Hi am facing a similar problem using SAML and XML signature.
> > My scenario is little differrent. First an unsigned saml 
> > assertions are inserted to the SOAP envelope. Later through a 
> > request handler the whole envelope is signed useing RSA 
> > algorithm.
> 
> That's pretty vague, and if the signature is not a SAML sig, then you're
> pretty much out of OpenSAML's space at that point.
> 
> > At the receiving end while tried to verify it, the 
> > original digest and the recalculated digests are getting 
> > differrent. So the signature verification is getting failed. 
> > But if the original soap message doesn't contain the saml 
> > assertions verification is passing.. Do we have to use any 
> > special canonicalization method while signing?
> > or the the saml assertions has to be signed alone? 
> 
> The answer is yes, but, sort of, sure, maybe, always. Using an arbitrary XML
> serialization process at one or both ends is almost sure to break
> signatures.
> 
> Generally, you should serialize with a real c14n algorithm, to avoid any
> formatting. I do that in the Java SAML code, but you're not serializing with
> my code, you're using some SOAP thingy that could be doing anything.
> 
> -- Scott
> 
> 
>