mace-opensaml-users - Problems signing/validating metadata

Subject: OpenSAML user discussion

List archive

Problems signing/validating metadata

From: Manuela Stanica <>
To:
Subject: Problems signing/validating metadata
Date: Mon, 11 Feb 2008 13:55:20 +0100

Hi,

I'm having quite a bit of trouble with validating and signing metadata. I've tried two things:

1. Signing (using openSAML 2.0 java API) a metadata document created and marshalled with openSAML2. In this case, I'm getting an EntityDescriptor which I have no trouble marshalling and unmarshalling and which to my knowledge includes the required xml fields. When I try signing the document (which implies validation as well), I get the following error:

ERROR org.opensaml.xml.signature.Signer - An error occured computing the digital signature
org.apache.xml.security.signature.XMLSignatureException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Cannot resolve element with ID null
Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID null
at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
at org.opensaml.xml.signature.Signer.signObject(Signer.java:76)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:286)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:253)
at test.SignatureTest.main(SignatureTest.java:55)
.............
INFO net.geant.edugain.validation.SAMLSigner - SAML object signed with key #6603384152749567654
INFO net.geant.edugain.base.Configurator - keystore loaded: java.security.KeyStore@517a05
INFO net.geant.edugain.validation.Validator - default validator loaded
ERROR net.geant.edugain.validation.Validator - document does not validate against SAML10 schema

I haven't figured out what the problem might be, help would be much appreciated.

2. Signing an example metadata xml file, which is almost the same as the first EntityDescriptor example from the OASIS Metadata for SAML 2.0 spec so it should be correct and I can succesfully unmarshal it. I'm enclosing the file in attachment. In this case, I get a different kind of error, which I haven't been able to solve either:

java.lang.NullPointerException
at java.util.TreeMap.compare(TreeMap.java:1093)
at java.util.TreeMap.put(TreeMap.java:465)
at java.util.TreeSet.add(TreeSet.java:210)
at java.util.AbstractCollection.addAll(AbstractCollection.java:318)
at java.util.TreeSet.addAll(TreeSet.java:258)
at java.util.TreeSet.<init>(TreeSet.java:143)
at org.apache.xml.security.transforms.params.InclusiveNamespaces.<init>(Unknown Source)
at org.opensaml.common.impl.SAMLObjectContentReference.processExclusiveTransform(SAMLObjectContentReference.java:172)
at org.opensaml.common.impl.SAMLObjectContentReference.createReference(SAMLObjectContentReference.java:142)
at org.opensaml.xml.signature.impl.SignatureMarshaller.createSignatureElement(SignatureMarshaller.java:114)
at org.opensaml.xml.signature.impl.SignatureMarshaller.marshall(SignatureMarshaller.java:69)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:317)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:225)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:131)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:87)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:281)
at net.geant.edugain.validation.SAMLSigner.sign(SAMLSigner.java:253)
at test.SignatureTest.main(SignatureTest.java:55)

So it seems I'm stuck in both cases and would be grateful for any help! thanks.

Manuela

<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
entityID="https://IdentityProvider.com/SAML";>
    <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
        <md:SingleSignOnService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
			Location="https://IdentityProvider.com/SAML/SSO/Browser"/>
        <saml:Attribute
			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
			Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
			FriendlyName="eduPersonPrincipalName">
        </saml:Attribute>
        <saml:Attribute
			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
			Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
			FriendlyName="eduPersonAffiliation">
            <saml:AttributeValue>member</saml:AttributeValue>
            <saml:AttributeValue>student</saml:AttributeValue>
            <saml:AttributeValue>faculty</saml:AttributeValue>
            <saml:AttributeValue>employee</saml:AttributeValue>
            <saml:AttributeValue>staff</saml:AttributeValue>
        </saml:Attribute>
    </md:IDPSSODescriptor>
    <md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:AttributeService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
			Location="https://IdentityProvider.com/SAML/AA/SOAP"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
        <saml:Attribute
			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
			Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
			FriendlyName="eduPersonPrincipalName">
        </saml:Attribute>
    </md:AttributeAuthorityDescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="en">Identity Providers R US</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en">Identity Providers R US, a Division of Lerxst Corp.</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en">https://IdentityProvider.com</md:OrganizationURL>
    </md:Organization>
</md:EntityDescriptor>

OpenSAML 2, Java, Release Candidate 2 Available, Chad La Joie, 02/08/2008
- Problems signing/validating metadata, Manuela Stanica, 02/11/2008
  - Re: Problems signing/validating metadata, Chad La Joie, 02/11/2008
    - Re: Problems signing/validating metadata, Brent Putman, 02/11/2008
      - Re: Problems signing/validating metadata, Manuela Stanica, 02/12/2008
        
        Re: Problems signing/validating metadata, Chad La Joie, 02/12/2008
        
        Re: Problems signing/validating metadata, Manuela Stanica, 02/12/2008
        
        Re: Problems signing/validating metadata, Chad La Joie, 02/12/2008
        Re: Problems signing/validating metadata, Brent Putman, 02/12/2008
        RE: Problems signing/validating metadata, Scott Cantor, 02/12/2008
        
        Message not available
        Re: Problems signing/validating metadata, Brent Putman, 02/12/2008
        
        Re: Problems signing/validating metadata, Manuela Stanica, 02/13/2008

List archive

Problems signing/validating metadata