Skip to Content.
Sympa Menu

mace-opensaml-users - RE : Response signature validation

Subject: OpenSAML user discussion

List archive

RE : Response signature validation

Chronological Thread 
  • From: Laurent CHARTIER <>
  • To:
  • Subject: RE : Response signature validation
  • Date: Fri, 20 Apr 2007 17:41:13 +0200
  • Importance: Normal

I think I found my error.
The response AND the assertion had the same ID. (Because my soft always
generate an assertion, but sometimes need to put it in a response...)
So when I put the assertion in a response I have to remove the ID and
set it to the response in order to make the reference point to the
response and NOT to the assertion in the response.

Thanks a lot,

-----Message d'origine-----
De : Scott Cantor

Envoyé : vendredi 20 avril 2007 17:04
À :

Objet : RE: Response signature validation

> Am I wrong if I think that the bytes needed to verify a SAML response
> are the entire reponse and not only the assertion contained in the
> response?

All SAML signatures are enveloped and reference all the content of the
enclosing object. It isn't permissible to do anything more complicated
because if it were, every SAML implementation would have to have a way
to decide what's been signed and that is a virtually intractable

As of SAML 1.1, the only way you can sign is to have a single Reference
with a URI pointing to the ID attribute of the root element being

> In facts, when the validation occurs, I can see the getReferencesBytes

> method from the Reference class returning the bytes of the assertion,
> not the bytes of the response.

Then that's where the Reference must be pointing.

-- Scott

Ce message est protégé par les règles relatives au secret des
correspondances. Il est donc établi à destination exclusive de son
destinataire. Celui-ci peut donc contenir des informations confidentielles.
La divulgation de ces informations est à ce titre rigoureusement interdite.
Si vous avez reçu ce message par erreur, merci de le renvoyer à l'expéditeur
dont l'adresse e-mail figure ci-dessus et de détruire le message ainsi que
toute pièce jointe.

This message is protected by the secrecy of correspondence rules. Therefore,
this message is intended solely for the attention of the addressee. This
message may contain privileged or confidential information, as such the
disclosure of these informations is strictly forbidden. If, by mistake, you
have received this message, please return this message to the addressser
whose e-mail address is written above and destroy this message and all files

Archive powered by MHonArc 2.6.16.

Top of Page