OpenSAML user discussion

["Scott Cantor" <>]

> It is not a corruption problem. I do openssl base64 -d | signtest ...

Ok, just a thought.

> Obviously I resolved the problem by installing opensaml-1.1RC2 jar. Now
> it work. But I did not changed the C code. Probably the problem is lying
> in java, but I can't blame you because I must use xerces 2.7.... The old
> opensaml.jar was from version 1.0.1.

Hmm, that's not what I would have expected at all. I can definitely assure
you that we verify stuff signed with the older code all the time, otherwise
Shibboleth itself wouldn't work across versions. But there are bugs all over
that code, maybe one of them is involved somewhere here.

> Now my SAMLResponse is not 100% standard either as it contain an
> additional Attribute statement. And (might be related?) I 
> If I do not clone() the subject, only one of the statement (in the
> resulting XML) contains the Subject.

That is expected. Objects are owned by the parent objects they live in, so
you can't add one subject to two statements, it wouldn't work. In C++, this
is obvious, since objects have lifetimes and you'd get a double delete. In
Java, it will manifest in confusing ways.

> Doing checkValidity() on the
> Assertion (before encoding in XML) does not see any problem. 

In 1.1, you'll get an error when you try to add the same subject to the
second statement in both languages. There are backpointers now that track
the relationships.

-- Scott