OpenSAML user discussion

["Scott Cantor" <>]

> I'm using OpenSAML 2 from the head (trunk) in svn (opensaml2, openws,
> xmltooling).  My problem is that I can't validate a Signature on a
> SAML 1.0 Assertion that resulted from the decryption of an
> EncryptedData.

You should understand that in general, you cannot use signatures with SAML
1.0 properly. The schema was broken and the processing rules were
underspecified. Interop will be impossible. Don't do it. Use SAML 1.1 or
don't sign.

> I'm stumped.  It appears that something is occuring in the Decrypter
> during unmarshalling of the Assertion that is different from when I
> unmarshall the Assertion in a test case.

The error is clearly IDness, and that's not even legal in SAML 1.0 because
the AssertionID attribute isn't an XML ID, so you cannot expect to sign by
reference that way.

When unmarshalling from a file, the library is (possibly incorrectly)
treating the attribute as an ID, either manually or because it's validating
with the SAML 1.1 schema set. That results in a valid signature (but
shouldn't if this is actually SAML 1.0).

Decryption is perhaps returning a DOM directly, and there is no way for the
IDness to be established (even incorrectly) there unless one is validating
the DOM afterward, or by unmarshalling an XMLObject tree around the DOM,
which would enable SAML-specific logic to kick in and set IDness that way.
But that should only happen if MinorVersion is 1.

There could be 2-3 different bugs between the code itself, your code, and
some kind of improper or inadvisable combination of the steps you're using.

-- Scott