Skip to Content.
Sympa Menu

mace-opensaml-users - Re: RE : Response signature validation

Subject: OpenSAML user discussion

List archive

Re: RE : Response signature validation

Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: RE : Response signature validation
  • Date: Fri, 20 Apr 2007 11:49:22 -0400
  • Organization: University Information Systems

yeah, those attributes are both DOM ID attributes which must be unique
within a DOM. So if you have two different elements with the same ID
that's going to cause problems.

Laurent CHARTIER wrote:
> I think I found my error.
> The response AND the assertion had the same ID. (Because my soft always
> generate an assertion, but sometimes need to put it in a response...)
> So when I put the assertion in a response I have to remove the ID and
> set it to the response in order to make the reference point to the
> response and NOT to the assertion in the response.
> Thanks a lot,
> Laurent
> -----Message d'origine-----
> De : Scott Cantor
> [mailto:]
> Envoyé : vendredi 20 avril 2007 17:04
> À :
> Objet : RE: Response signature validation
>> Am I wrong if I think that the bytes needed to verify a SAML response
>> are the entire reponse and not only the assertion contained in the
>> response?
> All SAML signatures are enveloped and reference all the content of the
> enclosing object. It isn't permissible to do anything more complicated
> because if it were, every SAML implementation would have to have a way
> to decide what's been signed and that is a virtually intractable
> problem.
> As of SAML 1.1, the only way you can sign is to have a single Reference
> with a URI pointing to the ID attribute of the root element being
> signed.
>> In facts, when the validation occurs, I can see the getReferencesBytes
>> method from the Reference class returning the bytes of the assertion,
>> not the bytes of the response.
> Then that's where the Reference must be pointing.
> -- Scott
> Ce message est protégé par les règles relatives au secret des
> correspondances. Il est donc établi à destination exclusive de son
> destinataire. Celui-ci peut donc contenir des informations confidentielles.
> La divulgation de ces informations est à ce titre rigoureusement interdite.
> Si vous avez reçu ce message par erreur, merci de le renvoyer à
> l'expéditeur dont l'adresse e-mail figure ci-dessus et de détruire le
> message ainsi que toute pièce jointe.
> This message is protected by the secrecy of correspondence rules.
> Therefore, this message is intended solely for the attention of the
> addressee. This message may contain privileged or confidential information,
> as such the disclosure of these informations is strictly forbidden. If, by
> mistake, you have received this message, please return this message to the
> addressser whose e-mail address is written above and destroy this message
> and all files attached.

Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124

Archive powered by MHonArc 2.6.16.

Top of Page