Skip to Content.
Sympa Menu

mace-opensaml-users - RE: org.opensaml.MalformedException while Parsing Assertion

Subject: OpenSAML user discussion

List archive

RE: org.opensaml.MalformedException while Parsing Assertion


Chronological Thread 
  • From: "Lawrence, Brad P" <>
  • To: Scott Cantor <>,
  • Subject: RE: org.opensaml.MalformedException while Parsing Assertion
  • Date: Wed, 17 May 2006 13:55:14 -0400

I discovered what the problem was. For some reason I was getting the
parsing exception only when I created the SAMLAuthenticationStatement
with an authentication method of
SAMLAuthenticationStatement.AuthenticationMethod_X509_PublicKey.

It worked when I changed my constructor for from this:
SAMLStatement[] statements = {
new
SAMLAuthenticationStatement(authNSubject,
SAMLAuthenticationStatement.AuthenticationMethod_X509_PublicKey,
authTime, null, null, null)};

to this:

SAMLStatement[] statements = {
new
SAMLAuthenticationStatement(authNSubject,
SAMLAuthenticationStatement.AuthenticationMethod_Unspecified, authTime,
null, null, null)};

I am confused about why though; I thought that perhaps I was missing
something necessary for an AuthenticationMethod_X509_PublicKey so I
attempted to look for some specification on an authentication method of
X509 public key in this document:

http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf

But I didn't find anything that helped me understand why the error was
occurring.

Any ideas why I can't seem to parse my SAMLAssertion with:
new SAMLAssertion(element);

When I use the
SAMLAuthenticationStatement.AuthenticationMethod_X509_PublicKey??

I assume that I am missing something from a specification, but again I
am not sure.

Thanks for your time,

Brad



-----Original Message-----
From: Scott Cantor
[mailto:]

Sent: Wednesday, May 17, 2006 11:11 AM
To: Lawrence, Brad P;

Subject: RE: org.opensaml.MalformedException while Parsing Assertion

> So I will be the first to say that I don't know everything
> about the SAML spec, but I was fairly sure that you could use
> an X.509 cert as the confirmation data so basically that is
> what I am trying to do. Plus sign the SAML assertion with
> another key.

You can, but in SAML 1.1 you have to put KeyInfo data like that into a
dedicated element inside of SubjectConfirmation, not inside
SubjectConfirmationData.

> I am not sure what is going on, I am fairly sure I have a
> confirmation method in there at least my output to System.out
> shows it being in there.
>
> Any ideas because I am stumped?

I suspect the error is just misleading and the real problem is more to
do
with limitations on that stuff in the code. You'll be much better off
using
the 2.0 code when it's done, because it will support subject
confirmation
properly. For starters, I think SubjectConfirmationData in the old code
is
confined to a string.

I think the KeyInfo option has been used a little, but you'll have to
put it
inside the SubjectConfirmation element.

-- Scott






Archive powered by MHonArc 2.6.16.

Top of Page