Skip to Content.
Sympa Menu

mace-opensaml-users - RE: getting InvalidCryptoException in SAMLResponse verification

Subject: OpenSAML user discussion

List archive

RE: getting InvalidCryptoException in SAMLResponse verification


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Bin Lu'" <>
  • Cc: <>
  • Subject: RE: getting InvalidCryptoException in SAMLResponse verification
  • Date: Thu, 22 Dec 2005 14:26:49 -0500
  • Organization: The Ohio State University

> Thank you very much for you help. I found a problem in my
> code and verification is now working with the new saml response.

Ok. Could you outline at all what the issue was? Just in case it comes up
again. I ask mainly because I couldn't see any problem with it.

> One more question, saml verification only works when
> SAMLConfig.strict_dom_checking is true,
> which is the default. If I set it to false, then it continues
> to throw "Referenced ID is not in DOM Document"
> error. I verified that with the opensaml test program signtest.cc.

Umm, no. I can't explain how that could possibly affect it. I don't see any
way in which the code paths could be related. The only thing the flag
changes is one conditional statement, and it has no effect on the parsing
process.

The source of a missing ID is basically that XML schema validation is not
happening, or the schema itself is not correctly identifying the ID. I
neglected to note it, but the basic issue is that you need SAML 1.1 support
for signing to work properly. By default, you should be using SAML 1.1. Only
setting the compatibility mode flag would change that, not the
strict_dom_checking flag.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page