Skip to Content.
Sympa Menu

mace-opensaml-users - SAMLConfig.strict_dom_checking has to be true ?

Subject: OpenSAML user discussion

List archive

SAMLConfig.strict_dom_checking has to be true ?


Chronological Thread 
  • From: Bin Lu <>
  • To:
  • Subject: SAMLConfig.strict_dom_checking has to be true ?
  • Date: Thu, 22 Dec 2005 11:13:23 -0800

--- Begin Message ---
  • From: Bin Lu <>
  • To: Scott Cantor <>
  • Subject: Re: getting InvalidCryptoException in SAMLResponse verification
  • Date: Thu, 22 Dec 2005 11:05:27 -0800
Scott,

Thank you very much for you help. I found a problem in my code and verification is now working
with the new saml response.

One more question, saml verification only works when SAMLConfig.strict_dom_checking  is true,
which is the default. If I set it to false, then it continues to throw "Referenced ID is not in DOM Document"
error. I verified that with the opensaml test program signtest.cc.

Any idea ?

Thanks,
-binlu

Scott Cantor wrote: 
Could you pass me a saml response xml file that passes your test ?
    

Sure, but if it gets munged in some way by the email message, it would be
impossible to know for sure what happened.

Anyway, that's a signed response, but the assertion isn't. And it was signed
in Java, not in C++.

-- Scott
  

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2005-12-19T17:38:19.412Z" MajorVersion="1" MinorVersion="1" Recipient="https://wayf.internet2.edu/Shibboleth.sso/SAML/POST" ResponseID="_6c98c7e004b5921ec2ac833f6f858577"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_6c98c7e004b5921ec2ac833f6f858577">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>eIHBjLc1aW0fBMWEpP3r/wRDdEo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cMJY70Sk/WRy/r0zFP6FVZnlvk648p9rHgM/9W7PVI5HhbzNRPTK/K/RSLBsNwl+rwLL+P71ce+G
cMfP5l+mQq7rYqXd6bM3W+8mSIv0eG2chtGy75lJD8DiuNmpzjAsMIdMgxtBTR7lb6lidw7WPNL9
8G9TlqWV0Q3Z96JaT0I9n4baMeakUo6XHaI8Ct1kRDGrBn/3BCLcNZiNufTAx0lN655TupVc4Zps
2tJ/GCBfciUE3PzvIDbYeoLla19JVGVs80Itm5S7KxBCn8Zfb7jFhKTfqKdP/cUcQSy0XxEUizhj
SP+OERjjQzGPKoV3kqNlQXGN9/BXMHNqAYWBog==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDdjCCAt+gAwIBAgICBuYwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVTMRIwEAYDVQQI
EwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lz
Y29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYD
VQQDExxIRVBLSSBTZXJ2ZXIgQ0EgLS0gMjAwMjA3MDFBMB4XDTA1MTIxODEyMTcwMloXDTEwMDEy
NzEyMTcwMlowgbMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCcmVtZW4xFDASBgNVBAcTC0JyZW1l
cmhhdmVuMSAwHgYDVQQKExdBbGZyZWQtV2VnZW5lci1JbnN0aXR1dDELMAkGA1UECxMCUloxITAf
BgNVBAMTGHNoaWJzLmF3aS1icmVtZXJoYXZlbi5kZTErMCkGCSqGSIb3DQEJARYcc21ha2VkYW56
QGF3aS1icmVtZXJoYXZlbi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANnWtO+g
CyyfaU3XsJqepnzZNyORCmWUdE3XoTO7qTi4uYL2nEYB6coUpzZMbBYV3gMhaWOHi5nAta6IXdeX
w53Rhlci8N4J47vQcodmG7kwb5olj0Rmbh0mOvwzjT2JYmw9CR3dsQ4prBFPbG9sgndEAel2WBPz
586lkeeQk3D37kKG6hk9QL6yK22Heh3uQ6A+D+K/XUerY2BolRBpiCLQFHW9md8FBXU1N85Kq9pG
91qcvgg7k9w6LeCepr8KqPEI1x2VM7lVDvzf6onpv3IPxAMXglhKcS7TfaRVPlYPA7tXXkVAMkIo
wkBxc2k/1/AHRTcA99HVkRqj3ixe3YsCAwEAAaMdMBswDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMC
BaAwDQYJKoZIhvcNAQEEBQADgYEAdWIk/C4b1RcS2sPmvz+rryIzvARSH0o4IrY2FJnJS6GnRyOT
ZeVur/J2hw6kZmIg3edEPsGW1lqU1NG27Cmbl4SZhvpeqBmHdAUMiJ/ARvYb63KsNQYCFYn8uIfd
E/KVrzXuvS36K1jMa4pOpK3+ntamjd1N3jAMSxh9HAkPJg8=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_533bcd468a5f8d0816ed6bd07300b4d1" IssueInstant="2005-12-19T17:38:19.405Z" Issuer="urn:mace:inqueue:awi-bremerhaven.de" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2005-12-19T17:38:19.405Z" NotOnOrAfter="2005-12-19T17:43:19.405Z"><AudienceRestrictionCondition><Audience>urn:mace:inqueue</Audience><Audience>urn:mace:inqueue:example.edu</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2005-12-19T17:38:19.405Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="urn:mace:inqueue:awi-bremerhaven.de">_328971fbea9de1337fc7920d43b7af4b</NameIdentifie
r><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="172.18.6.175"></SubjectLocality></AuthenticationStatement></Assertion></Response>


--- End Message ---

  • SAMLConfig.strict_dom_checking has to be true ?, Bin Lu, 12/22/2005

Archive powered by MHonArc 2.6.16.

Top of Page