OpenSAML user discussion

["Scott Cantor" <>]

> XML Signature on line#194 in SAMLSignedObject.  However, the toDOM() 
> method puts the ID on the Assertion tag as an attribute named 
>  "AssertionID", but ONLY puts it as an ID Attribute if the minor 
> version of the Assertion > 0 (i.e. saml 1.1)

Because the type was not ID in SAML 1.0, it was just string.

> So, does this mean that SAML 1.0 documents cannot be signed?  

Not interoperably, no, it requires use of XPath transforms or assumptions
that the whole document is signed, and nobody else could verify it easily.
That's why SAML 1.1 exists.

> Or, do I need to do something else to sign a SAML 1.0 document?

You have to turn the org.opensaml.compatibility-mode property on to allow
it, which causes everything to default to SAML 1.0. The code appears to sign
the whole document (Reference=""), which is only sometimes useful. I imagine
I dumped all the hopeless attempts to make it work with XPath to avoid a
Xalan dependency.

-- Scott