OpenSAML user discussion

["Scott Cantor" <>]

> Any idea? Should I post the SAMLResponse itself?

You could try, but I won't have any time to look at it for a while, and I
doubt I'd learn anything if I did. signtest is not easy to use. It's
possible you're just corrupting the XML in the process of supplying it. I'd
be more concerned if you fed in the raw base64 by hand, decoded it, and
wrote code to verify that.

For that matter, if you're actually generating a POST response, you could
supply it to a Shibboleth test server and we could try and diagnose it that
way.

I used to be very paranoid about this stuff, but at this point, I know that
the C++ can verify Java stuff fine, I've tested against many different
codebases. I'm not as confident about the C++ signing, only because of how
I'm serializing the XML, but the other direction has worked fine.

-- Scott