OpenSAML user discussion

[Chad La Joie <>]

yeah, those attributes are both DOM ID attributes which must be unique
within a DOM.  So if you have two different elements with the same ID
that's going to cause problems.

Laurent CHARTIER wrote:
> I think I found my error.
> The response AND the assertion had the same ID. (Because my soft always
> generate an assertion, but sometimes need to put it in a response...)
> So when I put the assertion in a response I have to remove the ID and
> set it to the response in order to make the reference point to the
> response and NOT to the assertion in the response.
> 
> Thanks a lot,
> Laurent
> 
> -----Message d'origine-----
> De : Scott Cantor 
> [mailto:]
>  
> Envoyé : vendredi 20 avril 2007 17:04
> À : 
> 
> Objet : RE: Response signature validation
> 
> 
>> Am I wrong if I think that the bytes needed to verify a SAML response 
>> are the entire reponse and not only the assertion contained in the 
>> response?
> 
> All SAML signatures are enveloped and reference all the content of the
> enclosing object. It isn't permissible to do anything more complicated
> because if it were, every SAML implementation would have to have a way
> to decide what's been signed and that is a virtually intractable
> problem.
> 
> As of SAML 1.1, the only way you can sign is to have a single Reference
> with a URI pointing to the ID attribute of the root element being
> signed.
> 
>> In facts, when the validation occurs, I can see the getReferencesBytes
> 
>> method from the Reference class returning the bytes of the assertion, 
>> not the bytes of the response.
> 
> Then that's where the Reference must be pointing.
> 
> -- Scott
> 
> 
> 
> 
> 
> 
> Ce message est protégé par les règles relatives au secret des 
> correspondances. Il est donc établi à destination exclusive de son 
> destinataire. Celui-ci peut donc contenir des informations confidentielles. 
> La divulgation de ces informations est à ce titre rigoureusement interdite. 
> Si vous avez reçu ce message par erreur, merci de le renvoyer à 
> l'expéditeur dont l'adresse e-mail figure ci-dessus et de détruire le 
> message ainsi que toute pièce jointe.
> 
> This message is protected by the secrecy of correspondence rules. 
> Therefore, this message is intended solely for the attention of the 
> addressee. This message may contain privileged or confidential information, 
> as such the disclosure of these informations is strictly forbidden. If, by 
> mistake, you have received this message, please return this message to the 
> addressser whose e-mail address is written above and destroy this message 
> and all files attached.
> 

-- 
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124