OpenSAML user discussion

["Sankaranainar, Naveen" <>]

I ran into same duplicate "<ds:Reference>" issue. I have attached the saml 
response document that I federated to google and google acs rejected because 
of duplicate reference. Any input on what could be wrong?. I am calling 
signer object to sign the response document, not adding any reference 
manually.

protected void signDocument(XMLObject xmlObject,Signature signature) throws 
FedHubException{
                Marshaller marshaller = 
marshallerFactory.getMarshaller(xmlObject);
                try {
                        marshaller.marshall(xmlObject);
                } catch (MarshallingException e) { 
                        LogManager.error("Exception on marshalling the 
document: " ,e);
                }
                Signer.signObject(signature);
}

Thanks in advance!

Naveen

The contents of this e-mail are intended for the named addressee only. It 
contains information that may be confidential. Unless you are the named 
addressee or an authorized designee, you may not copy or use it, or disclose 
it to anyone else. If you received it in error please notify us immediately 
and then destroy it.

From: Chad La Joie 
[mailto:]
 
Sent: Thursday, January 10, 2008 11:18 AM
To: 

Subject: Re: Reference Node in Signature Duplicated

The Shib IdP on my test machine, which is using the latest OpenSAML code, 
doesn't have duplicate references.

Is your code adding any references?  The OpenSAML code takes care of all the 
reference objects for SAML compliant signatures (so you don't ahve to do it).

Paul Hethmon wrote:
> Ok, not sure where this is getting done, whether its my use of the 
> OpenSAML code or the OpenSAML code. I'm trying to get my IdP 
> implementation (Java) working with the Lightbulb PHP SP
> (http://opensso.dev.java.net/public/extensions/) code from Sun. What I 
> am seeing is an error from their library saying:
> 
>   Error: Reference validation failed
> 
> Tracing through their code, it appears that it is saying there is a 
> problem with the <ds:Reference> node in the signature. I then took a 
> look at what I'm generated and I see two identical <ds:Reference> 
> nodes (xml at the end of this message).
> 
> I looked through my signature generating code and don't see anything 
> which looks like it ought to cause two Reference nodes to be emitted. 
> So does anyone know of anything I should look for in my code? Does 
> anyone have an IdP using the Java libs that does *not* send out two 
> Reference nodes?
> 
> For reference, my OpenSAML Java code was updated today (2008-01-10).
> 
> Thanks,
> 
> Paul
> 
> 
> 
> <?xml version="1.0" encoding="UTF-8"?> <samlp:Response 
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>     Destination="http://www.acmemls.com:80/recv-saml.jsp";
> ID="acmeidp1199978583569"
>     InResponseTo="acmemls1199978573054"
> IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
>     <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.
> com</s
> aml:Issuer>
>     <samlp:Status>
>         <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>     </samlp:Status>
>     <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="acmeidp1199978583569"
>         IssueInstant="2008-01-10T15:23:03.569Z" Version="2.0">
>         <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.acmeidp.
> com</s
> aml:Issuer>
>         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>             <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                 <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                 <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                 <ds:Reference URI="#acmeidp1199978583569"
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                     <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                         <ds:Transform
>                    
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                         <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                             <ec:InclusiveNamespaces
>                    
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
>                                 PrefixList="ds saml"/>
>                         </ds:Transform>
>                     </ds:Transforms>
>                     <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
>                         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                     <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
>                         >6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
>                 </ds:Reference>
>                 <ds:Reference URI="#acmeidp1199978583569"
>                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                     <ds:Transforms
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                         <ds:Transform
>                    
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                         <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";
>                             xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                             <ec:InclusiveNamespaces
>                    
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
>                                 PrefixList="ds saml"/>
>                         </ds:Transform>
>                     </ds:Transforms>
>                     <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
>                         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
>                     <ds:DigestValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
>                         >6eSn/ehb6C5gkU3t0KQLQ3InSeU=</ds:DigestValue>
>                 </ds:Reference>
>             </ds:SignedInfo>
>             <ds:SignatureValue
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>                 
> h9M4de1l3sAl7Ue4qYk6UZ8gI/aDTWAg2Ueog3sZ2COkkOraoaDKWhsx2kcz6l0qguNCbL
> fCVQq3
>                 
> eSmRR2R8VileLsVdvTssKZ5OYvvAKOMnJgueeGC1ZqElp9NWRf7p+qmAMytynxQG64JGJn
> eSmRR2R8VileLsVdvTssKZ5OYvvAKOMnJgueeGC1ZqElp9NWRf7p+FqO2fG
>                 NzORvH8ZZRSVgZmrhdU= </ds:SignatureValue>
>         </ds:Signature>
> 

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security Werdstrasse 2, P.O. Box, 8021 
Zürich, Switzerland phone +41 44 268 15 75, fax +41 44 268 15 68 
,
 http://www.switch.ch
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response Destination="https://www.google.com/a/demosp.com/acs"; ID="_4b31dd925a7a2706725a71228643b041" IssueInstant="2008-04-02T13:43:53.044Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://tib.demo.securedby.covisint.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_4b31dd925a7a2706725a71228643b041" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="ds saml samlp xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>UuxHiYmprlO82Hk/eAC33TMHGy46/uefMtHMwzg97HE=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_4b31dd925a7a2706725a71228643b041" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="ds saml samlp xs xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>UuxHiYmprlO82Hk/eAC33TMHGy46/uefMtHMwzg97HE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
vnfHDZtPtlzkS09H/sgIyH1helgulaIR+VAGSdVX5aCurBUznD4hX1X6Q3wN0L2nIomZ/5uXS0kJ
6Py6Cw+PgkmiE5BcfiXIO6cRA9W94OL1/NtZzPgo3JiPbd0eTQNxS4XpsBlq+L90GDYgmhbRZRQm
gRA3FoAikcIDB1Ov+Qs=
</ds:SignatureValue>
</ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="_304667746bbc739bf4ff846f5335e7ed" IssueInstant="2008-04-02T13:43:53.046Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://tib.demo.securedby.covisint.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_304667746bbc739bf4ff846f5335e7ed" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ec:InclusiveNamespaces PrefixList="ds saml xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>k1twlXmnl2y4jDS/155IdlkKR0RbcdiIFjy8ynkS9mo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
XPZdFnATuG/dehofcCVicmEDYiZkXp+5oGYd+iU46gQBqXXs/dtHv6GeANFAXkCsYC5M0UQvBw13//k+bPNqavht1yRQVlaaw99MeayrdLIpwj34KjR+Tt3vNkNHKB0skf/ZntfKWnKckBiqyTVoD3515dL6WRC2rW95c//yEMA=
</ds:SignatureValue></ds:Signature><saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:NameID NameQualifier="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">NAVEEN</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2008-04-02T13:43:53.046Z" Recipient="https://www.google.com/a/demosp.com/acs"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2008-04-02T13:43:53.047Z" NotOnOrAfter="2008-04-02T13:43:53.047Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AudienceRestriction><saml:Audience>https://www.google.com/a/demosp.com/acs</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2008-04-02T13:43:53.047Z" SessionIndex="_304667746bbc739bf4ff846f5335e7ed" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute FriendlyName="FirstName" Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">NA</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>