OpenSAML user discussion

[Scott Cantor <>]

> What values are used to create the digest in the ds:DigestValue tag :
> like so <ds:DigestValue>gmjaBYw5W/F1z6XMjbsGibcwI4o=</ds:DigestValue>
> 
> And is the algorithm just plain SHA-1 and Base64 encoding the 
> output of SHA-1 or is something else going on.

It's XML signature processing, with a few rules defined by SAML to simplify
the work for SAML implementers so that the full range of possible signature
options aren't available.

The spec doesn't dictate algorithms. The common case is RSAwithSHA1, so the
digest is SHA-1, but yes, it's base-64 encoded when it appears in the
markup.

The digest input is defined by the SignedInfo element, which includes a
Reference to the ID of the root element being signed, and the transforms
that define how to take that node set and turn into an octet stream. SAML
limits the transforms that can be used to simplify the determination of what
was signed.

I suggest reading the signature spec if you really want to understand the
process, it's relatively readable given the subject matter, although some
working XPath knowledge is helpful.

http://www.w3.org/TR/xmldsig-core/

Understanding canonicalization is also fairly critical.

-- Scott