OpenSAML user discussion

[Bin Lu <>]

Scott Cantor wrote:

Thank you very much for you help. I found a problem in my 
code and verification is now working with the new saml response.
    

Ok. Could you outline at all what the issue was? Just in case it comes up
again. I ask mainly because I couldn't see any problem with it.
  

It is related to the defects of opensaml 0.9.1 in its signing part. To workaround that
problem, we re-created another SAMLResponse object with the DOM tree from
the original Response object. Then after the response is signed, we were using the
 wrong object to generate the xml message.

One more question, saml verification only works when 
SAMLConfig.strict_dom_checking  is true,
which is the default. If I set it to false, then it continues 
to throw "Referenced ID is not in DOM Document"
error. I verified that with the opensaml test program signtest.cc.
    

Umm, no. I can't explain how that could possibly affect it. I don't see any
way in which the code paths could be related. The only thing the flag
changes is one conditional statement, and it has no effect on the parsing
process.

The source of a missing ID is basically that XML schema validation is not
happening, or the schema itself is not correctly identifying the ID. I
neglected to note it, but the basic issue is that you need SAML 1.1 support
for signing to work properly. By default, you should be using SAML 1.1. Only
setting the compatibility mode flag would change that, not the
strict_dom_checking flag.
  

It will be a business judgement as saml upgrade requires upgrade of other components
that impacts other areas of the product.

-binlu

-- Scott