Skip to Content.
Sympa Menu

mace-opensaml-users - RE: Response signature validation

Subject: OpenSAML user discussion

List archive

RE: Response signature validation


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: Response signature validation
  • Date: Fri, 20 Apr 2007 11:04:03 -0400
  • Organization: The Ohio State University

> Am I wrong if I think that the bytes needed to verify a SAML response
> are the entire reponse and not only the assertion contained in the
> response?

All SAML signatures are enveloped and reference all the content of the
enclosing object. It isn't permissible to do anything more complicated
because if it were, every SAML implementation would have to have a way to
decide what's been signed and that is a virtually intractable problem.

As of SAML 1.1, the only way you can sign is to have a single Reference with
a URI pointing to the ID attribute of the root element being signed.

> In facts, when the validation occurs, I can see the getReferencesBytes
> method from the Reference class returning the bytes of the assertion,
> not the bytes of the response.

Then that's where the Reference must be pointing.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page