OpenSAML user discussion

[Giandomenico Napolitano <>]

I'm developing a web application that obtains single assertions from  
various SAML responders (Shibboleth's HS and AA atm) to use them as  
tokens (evidence) in an AuthorizationDecisionQuery to a SAML PDP. The  
resulting AuthorizationDecisionStatement wil contain the evidence  
received in the query in addition to the actual authorization  
decision. Being tokens, I need single evidence assertions to mantain  
original signature.

In PDP I use this code to construct the Authorization statement:

    Iterator i = query.getEvidence();
    Object entry = null;
    while(i.hasNext()) {
        try {
            entry = i.next();
            if(entry instanceof SAMLAssertion) {
                //why can't I remove this clone()?
                statement.addEvidence(((SAMLAssertion) entry).clone());
            } else if(entry instanceof String) {
                statement.addEvidence(new String((String) entry));
            } else log("invalid evidence");
        } catch(SAMLException e) {
            log("invalid evidence"+e);
            log("class:" + entry.getClass().getName());
        }
    }

Clone()ing the assertions removes signature, but without clone() I  
get a "SAMLObject.setParent() called on an already-contained object"  
error. The strange fact is that I don't have the same problem in the  
client side (the webapp) when inserting evidence in the query. The  
only difference is that the request containing the query is not being  
signed, while the assertion containing the statement contains  
multiple nested signatures (authZ + each evidence assertion). Maybe  
this is the problem? Can I have signed assertions nested as evidence  
in a signed assertion?

Thanks, Giandomenico Napolitano.