mace-opensaml-users - Re: getting InvalidCryptoException in SAMLResponse verification
Subject: OpenSAML user discussion
List archive
- From: Bin Lu <>
- To: Scott Cantor <>
- Cc:
- Subject: Re: getting InvalidCryptoException in SAMLResponse verification
- Date: Thu, 22 Dec 2005 12:09:35 -0800
Scott Cantor wrote:
It is related to the defects of opensaml 0.9.1 in its signing part. To workaround thatThank you very much for you help. I found a problem in my code and verification is now working with the new saml response.Ok. Could you outline at all what the issue was? Just in case it comes up again. I ask mainly because I couldn't see any problem with it. problem, we re-created another SAMLResponse object with the DOM tree from the original Response object. Then after the response is signed, we were using the wrong object to generate the xml message. It will be a business judgement as saml upgrade requires upgrade of other componentsOne more question, saml verification only works when SAMLConfig.strict_dom_checking is true, which is the default. If I set it to false, then it continues to throw "Referenced ID is not in DOM Document" error. I verified that with the opensaml test program signtest.cc.Umm, no. I can't explain how that could possibly affect it. I don't see any way in which the code paths could be related. The only thing the flag changes is one conditional statement, and it has no effect on the parsing process. The source of a missing ID is basically that XML schema validation is not happening, or the schema itself is not correctly identifying the ID. I neglected to note it, but the basic issue is that you need SAML 1.1 support for signing to work properly. By default, you should be using SAML 1.1. Only setting the compatibility mode flag would change that, not the strict_dom_checking flag. that impacts other areas of the product. -binlu -- Scott |
- getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/14/2005
- <Possible follow-up(s)>
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/15/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/22/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/22/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/22/2005
- Re: getting InvalidCryptoException in SAMLResponse verification, Bin Lu, 12/22/2005
- RE: getting InvalidCryptoException in SAMLResponse verification, Scott Cantor, 12/14/2005
Archive powered by MHonArc 2.6.16.