OpenSAML user discussion

[Paul Hethmon <>]

Title: Re: Reference Node in Signature Duplicated

SAML 2.0 PHP Relying Party

I am not a PHP programmer, but I’m trying to help someone who is work against my IdP, so I’m not sure exactly what they are using here. There is a library of PHP xml security code included which has a Sun copyright in it. I can see the code they are using, I just don’t understand enough PHP syntax to tell if they compare it properly. To me there is nothing obvious there stripping off the # symbol in the URI or adding it to the ID attribute before comparisons.

They do have updated code which we have not put in yet (but will later today). I don’t see a diff between the functions in the two files though. I’ll give an update on that later.

Paul



On 1/10/08 12:08 PM, "Brent Putman" <> wrote:

> To add to what Chad and Scott just said.  Out of curiosity, do we know what Sun is using for XML Signature validation (an existing library, their own code, etc)?   I'm not familiar with Sun's product.   From the link that you sent out, are you using the "SAML 2.0 PHP Relying Party" or the "PHP Client SDK for OpenSSO" or what?
>
> --Brent
>
> Paul Hethmon wrote: 
> >  Re: Reference Node in Signature Duplicated Ok, to go slightly off-topic here and more into the general SAML realm, but I think it is relevant. The error from the Sun library on “reference validation failed” turned out to be that my assertion ID values were done as:
> >  
> >   ID=”acmeidp123456789”
> >  
> > Then per spec, the OpenSAML library generated the Reference URI value as:
> >  
> >   URI=”#acmeidp123456789”
> >  
> > By simply changing my ID value to have the # symbol in front, this error went away. Section 5.4.2 of the saml-core document says that OpenSAML and my code are correct. Sun evidently thinks differently.
> >  
> > Opinions?
> >  
> > Thanks,
> >  
> > Paul
> >  
> >  
> >  
> >