Skip to Content.
Sympa Menu

mace-opensaml-users - Sigining of Assertion instead of Response

Subject: OpenSAML user discussion

List archive

Sigining of Assertion instead of Response


Chronological Thread 
  • From: Andreas Vallen <>
  • To:
  • Subject: Sigining of Assertion instead of Response
  • Date: Mon, 15 Jan 2007 13:48:16 +0100

Hello Scott,

The version of the Sun Access Manager product that we test our opensaml-based IDP against, expects the Assertion element instead of the Response element to be signed (in the case of successfull Responses).

This is clearly a Access Manager bug - it should work either way. Nevertheless a signing of the assertion element instead of the Response element could be desirable.

See below for our changes to one of the Encoder.encode methods that makes this behaviour configurable.

If you find this additional configurability is worth the added complexity, maybe it also would be possible to extract the (newly convoluted) signing behaviour into its own class to make it reusable by the various Encoders.

All the best,
Andreas


DOMElement* rootElement = NULL;
vector<Signature*> sigs;
if (credResolver && !m_simple) {
// Signature based on native XML signing.
if (request ? request->getSignature() :
statusResponse->getSignature()) {
log.debug("message already signed, skipping signature operation");
}
else {
log.debug("signing and marshalling the message");

// Build a Signature.
Signature* sig = buildSignature(credResolver, sigAlgorithm);

// Append Signature.
if (request)
{
request->setSignature(sig);
}
else
{
Response* response = NULL;
response = dynamic_cast<Response*>(statusResponse);
if ( !response ) // response is not of type <Response> but only
of
// <StatusResponseType> and thus contains no
assertion
{
log.debug("Appending Signature to Response Element.");
statusResponse->setSignature(sig);
}
else
{
log.debug("message has type 'Response'");
if (m_signAssertion)
{
log.debug("Assertion element shall be signed. Searching for contained assertion.");
opensaml::saml2::Assertion* assertion = NULL;
assertion = response->getAssertions().front();
if (assertion )
{
log.debug("Found assertion. Appending Signature element to Assertion instead of the Response Element.");
assertion->setSignature(sig);
}
else
{
log.debug("Response message contains no assertion, signing response element instead.");
response->setSignature(sig);
}
}
else
{
log.debug("Assertion shall not be signed, signing response
element.");
response->setSignature(sig);
}
}
}
sigs.push_back(sig);
}
}


--
Andreas Vallen Software Engineer
fun communications GmbH Lorenzstrasse 29 D-76135 Karlsruhe
Tel: +49 721 96448-132 Fax: +49 721 96448-299

www.fun.de



Archive powered by MHonArc 2.6.16.

Top of Page