OpenSAML user discussion

[Marc Jadoul <>]

Hello Scott,

Thanks for response.

It is not a corruption problem. I do openssl base64 -d | signtest ...
Obviously I resolved the problem by installing opensaml-1.1RC2 jar. Now
it work. But I did not changed the C code. Probably the problem is lying
in java, but I can't blame you because I must use xerces 2.7.... The old
opensaml.jar was from version 1.0.1.

Now my SAMLResponse is not 100% standard either as it contain an
additional Attribute statement. And (might be related?) I also add some
problems there:

SAMLStatement[] statements = {  new SAMLAuthenticationStatement(
(SAMLSubject) subject.clone(),
SAMLAuthenticationStatement.AuthenticationMethod_Password,                    
          
new Date(System.currentTimeMillis()), null, null, null),
new SAMLAttributeStatement(subject,createSAMLAttributeList(profile)) };

If I do not clone() the subject, only one of the statement (in the
resulting XML) contains the Subject. Doing checkValidity() on the
Assertion (before encoding in XML) does not see any problem. But may be
this is also fixed in version 1.1. And it might also simply be the way
it work?

Best regards,

Marc 

On Wed, 2005-07-20 at 12:16 -0400, Scott Cantor wrote:
> > Any idea? Should I post the SAMLResponse itself?
> 
> You could try, but I won't have any time to look at it for a while, and I
> doubt I'd learn anything if I did. signtest is not easy to use. It's
> possible you're just corrupting the XML in the process of supplying it. I'd
> be more concerned if you fed in the raw base64 by hand, decoded it, and
> wrote code to verify that.
> 
> For that matter, if you're actually generating a POST response, you could
> supply it to a Shibboleth test server and we could try and diagnose it that
> way.
> 
> I used to be very paranoid about this stuff, but at this point, I know that
> the C++ can verify Java stuff fine, I've tested against many different
> codebases. I'm not as confident about the C++ signing, only because of how
> I'm serializing the XML, but the other direction has worked fine.
> 
> -- Scott
> 
>