mace-opensaml-users - Sigining of Assertion instead of Response
Subject: OpenSAML user discussion
List archive
- From: Andreas Vallen <>
- To:
- Subject: Sigining of Assertion instead of Response
- Date: Mon, 15 Jan 2007 13:48:16 +0100
Hello Scott,
The version of the Sun Access Manager product that we test our opensaml-based IDP against, expects the Assertion element instead of the Response element to be signed (in the case of successfull Responses).
This is clearly a Access Manager bug - it should work either way. Nevertheless a signing of the assertion element instead of the Response element could be desirable.
See below for our changes to one of the Encoder.encode methods that makes this behaviour configurable.
If you find this additional configurability is worth the added complexity, maybe it also would be possible to extract the (newly convoluted) signing behaviour into its own class to make it reusable by the various Encoders.
All the best,
Andreas
DOMElement* rootElement = NULL;
vector<Signature*> sigs;
if (credResolver && !m_simple) {
// Signature based on native XML signing.
if (request ? request->getSignature() :
statusResponse->getSignature()) {
log.debug("message already signed, skipping signature operation");
}
else {
log.debug("signing and marshalling the message");
// Build a Signature.
Signature* sig = buildSignature(credResolver, sigAlgorithm);
// Append Signature.
if (request)
{
request->setSignature(sig);
}
else
{
Response* response = NULL;
response = dynamic_cast<Response*>(statusResponse);
if ( !response ) // response is not of type <Response> but only
of
// <StatusResponseType> and thus contains no
assertion
{
log.debug("Appending Signature to Response Element.");
statusResponse->setSignature(sig);
}
else
{
log.debug("message has type 'Response'");
if (m_signAssertion)
{
log.debug("Assertion element shall be signed. Searching for contained assertion.");
opensaml::saml2::Assertion* assertion = NULL;
assertion = response->getAssertions().front();
if (assertion )
{
log.debug("Found assertion. Appending Signature element to Assertion instead of the Response Element.");
assertion->setSignature(sig);
}
else
{
log.debug("Response message contains no assertion, signing response element instead.");
response->setSignature(sig);
}
}
else
{
log.debug("Assertion shall not be signed, signing response
element.");
response->setSignature(sig);
}
}
}
sigs.push_back(sig);
}
}
--
Andreas Vallen Software Engineer
fun communications GmbH Lorenzstrasse 29 D-76135 Karlsruhe
Tel: +49 721 96448-132 Fax: +49 721 96448-299
www.fun.de
- Sigining of Assertion instead of Response, Andreas Vallen, 01/15/2007
- Re: Sigining of Assertion instead of Response, Tom Scavo, 01/15/2007
- Re: Sigining of Assertion instead of Response, Andreas Vallen, 01/15/2007
- Re: Sigining of Assertion instead of Response, Tom Scavo, 01/15/2007
- Re: Sigining of Assertion instead of Response, Andreas Vallen, 01/16/2007
- Re: Sigining of Assertion instead of Response, Tom Scavo, 01/15/2007
- Re: Sigining of Assertion instead of Response, Andreas Vallen, 01/15/2007
- RE: Sigining of Assertion instead of Response, Scott Cantor, 01/15/2007
- Re: Sigining of Assertion instead of Response, Andreas Vallen, 01/16/2007
- Re: Sigining of Assertion instead of Response, Tom Scavo, 01/16/2007
- RE: Sigining of Assertion instead of Response, Scott Cantor, 01/16/2007
- Re: Sigining of Assertion instead of Response, Andreas Vallen, 01/16/2007
- RE: Sigining of Assertion instead of Response, Scott Cantor, 01/16/2007
- Re: Sigining of Assertion instead of Response, Andreas Vallen, 01/16/2007
- Re: Sigining of Assertion instead of Response, Andreas Vallen, 01/16/2007
- Re: Sigining of Assertion instead of Response, Tom Scavo, 01/15/2007
Archive powered by MHonArc 2.6.16.