OpenSAML user discussion

[Brent Putman <>]

signature.getContentReferences().add( new 
SAMLObjectContentReference(assertion) );

Sankaranainar, Naveen wrote:
> I ran into same duplicate "<ds:Reference>" issue. I have attached the saml 
> response document that I federated to google and google acs rejected because of duplicate 
> reference. Any input on what could be wrong?.

Yes, someplace an extra SAMLContentReference is being added to the 
Response signature.


> I am calling signer object to sign the response document, not adding any 
> reference manually.
>   

I'm virtually certain that someplace you are doing something similar to 
the following, to the Signature that you're setting on the Response:


signature.getContentReferences().add( new 
SAMLObjectContentReference(response) );

You shouldn't do this, because SignableSAMLObject#setSignature does this 
automatically.  Doing it explicitly like the above is causing the duplicate.


> protected void signDocument(XMLObject xmlObject,Signature signature) throws 
> FedHubException{
>                 Marshaller marshaller = 
> marshallerFactory.getMarshaller(xmlObject);
>                 try {
>                         marshaller.marshall(xmlObject);
> 		} catch (MarshallingException e) { 
> 			LogManager.error("Exception on marshalling the document: " ,e);
>                 }
>                 Signer.signObject(signature);
> }
>
>   

Yeah, like I said above, this isn't really the relevant code you need to 
double-check.  You need to look at the code that is creating and 
populating things on the Response's Signature instance.

I also notice that your Assertion is also signed, but only has a single 
Reference.  So you must be doing something different as to building the 
Signature object in the two cases.

--Brent