OpenSAML user discussion

["Sankaranainar, Naveen" <>]

Thanks Scott & Brent.
 
I used the latest XML Security library 1.4 and it works fine. Looks like it is an issue with "AssertionID".

---

From: Brent Putman [mailto:]
Sent: Thursday, February 01, 2007 12:08 AM
To:
Subject: Re: OpenSaml2 Library - SAML11 signature validation error

Scott Cantor wrote:

  I am getting an error while validating SAML 1.1 assertion signature. I
am using the OpenSaml 2 libraries (build from the svn on 12/28/06).
    

Try using a validating parser. If that works, there's a bug and it's not
establishing IDness in the DOM after a standard parse. I don't see anything
in the Java code that would handle this, but I didn't write it, so can't be
sure.
  

Yes,  I believe Scott is right.  If you're not doing schema validation, looks like this would happen.  At first glance, it looks like the Apache XML Security library's org.apache.xml.security.utils.IdResolver isn't resolving the ID reference.  To handle non-validation cases, they appear to have added hardcoded support for resolving SAML 1 Assertion/@AssertionID and others (albeit inefficiently, by brute force traversal) back in April, but we're currently still running v1.3.0 of that library which doesn't have that, so that would explain it.   I was actually just today looking at upgrading java-xmltooling to use the new XML Security lib v1.4.0 that was just released this month.  I should have that in over the next few days, assuming it doesn't break other things.

I'll probably also investigate registering ID attributes with the Apache lib explicitly for more efficient look ups, when we unmarshall a DOM, if it's feasible.

Thanks for reporting this.

Same code works fine if I validate the signature from SAML 2.0.
    

I assume you mean validating a signed SAML 2.0 Assertion (as opposed to a 1.1 Assertion)?  If so that would be consistent - in 2.0, the attribute's local name is "ID", which the Apache 1.3.0 lib looks for by default, but in 1.1 it's "AssertionID", so it doesn't (adding that attrib name to the list searched is what they added back in April and is in v1.4.0).



--Brent



The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.