OpenSAML user discussion

["Scott Cantor" <>]

> Am I wrong if I think that the bytes needed to verify a SAML response
> are the entire reponse and not only the assertion contained in the
> response?

All SAML signatures are enveloped and reference all the content of the
enclosing object. It isn't permissible to do anything more complicated
because if it were, every SAML implementation would have to have a way to
decide what's been signed and that is a virtually intractable problem.

As of SAML 1.1, the only way you can sign is to have a single Reference with
a URI pointing to the ID attribute of the root element being signed.

> In facts, when the validation occurs, I can see the getReferencesBytes
> method from the Reference class returning the bytes of the assertion,
> not the bytes of the response.

Then that's where the Reference must be pointing.

-- Scott