OpenSAML user discussion

[Laurent CHARTIER <>]

Hi all,
I got a SAML response containing a SAML assertion. The SAML response is
signed.
But when I try to validate the signature of the response with a
SignatureValidator I got an error.
Am I wrong if I think that the bytes needed to verify a SAML response
are the entire reponse and not only the assertion contained in the
response?

In facts, when the validation occurs, I can see the getReferencesBytes
method from the Reference class returning the bytes of the assertion,
not the bytes of the response.
So the digest value used to compare with the one in the signature seems
not to be calculated from the same bytes.
In consequence "Signature did not validate against any public keys from
credential"

The sequence is:
    SignatureValidator.validate(signature)
    XMLSignature.checkSignatureValue(validationKey)
 
XMLSignature.getSignedInfo().verify(_followManifestsDuringValidation)
    Manifest.verifyReferences(...)
    Reference.verify()
    Reference.calculateDigest
    Reference.getReferencedBytes




Ce message est prot?g? par les r?gles relatives au secret des 
correspondances. Il est donc ?tabli ? destination exclusive de son 
destinataire. Celui-ci peut donc contenir des informations confidentielles. 
La divulgation de ces informations est ? ce titre rigoureusement interdite. 
Si vous avez re?u ce message par erreur, merci de le renvoyer ? l'exp?diteur 
dont l'adresse e-mail figure ci-dessus et de d?truire le message ainsi que 
toute pi?ce jointe.

This message is protected by the secrecy of correspondence rules. Therefore, 
this message is intended solely for the attention of the addressee. This 
message may contain privileged or confidential information, as such the 
disclosure of these informations is strictly forbidden. If, by mistake, you 
have received this message, please return this message to the addressser 
whose e-mail address is written above and destroy this message and all files 
attached.