OpenSAML user discussion

[Brent Putman <>]

Scott Cantor wrote:
> If SignedInfo changes, I'd start by making sure you were using exclusive
> c14n everywhere, including for the overall signature c14n, not just as a
> transform. 

Oh, good catch, Scott.

From the code that was originally posted, looks like you were in fact
using inclusive canonicalization, sorry I didn't catch that when I
looked at it the first time.  So it's probably including namespaces from
the SOAP envelope, which is breaking things when you verify the
Assertion in the context where it's encapsulated within the WSS header. 
Try the exclusive c14n URI for the Signature's canonicalization method:

http://www.w3.org/2001/10/xml-exc-c14n#

FYI, for signable SAML objects in OpenSAML, the c14n transform is
automatically added to the associated ContentReference and is always the
excluisve one.

BTW, we have SignatureConstants and EncryptionConstants classes with all
most/all of these algorithm URI's in it.