OpenSAML user discussion

["Scott Cantor" <>]

> My question is: for you, this token is correct?

I don't think it's generally acceptable to send two assertions in one token
element, no. I could be wrong though. There are no profiles for using
WS-Trust to do much of anything, other than Cardspace, so there's no answer
to that question. You can send a ham sandwich in there and it would be
"correct".

> in the ds:Signature I've the reference of the assertion twice:

I think that was a bug fixed a while back.

> When, in the client, I validate the assertions, the first, validates OK,
> the second (the attribute assertion) fails, because in the signature block
> there is still the response reference, that is not present in the
> <requestedSecurityToken>. How can I detach this signature in the identity
> provider?

A SAML signature is always inside what it signs and never references
anything else. There can't be two references, and there would never be a
reference to a response inside an assertion.
 
-- Scott