Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Problem signing saml response message

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Problem signing saml response message


Chronological Thread 
  • From: "Perry Vessels" <>
  • To:
  • Subject: Re: [OpenSAML] Problem signing saml response message
  • Date: Sun, 29 Jun 2008 09:03:10 -0400
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=OfV3/MmNDNjFmdpVVDw+kOnS5abrNRvp4JFSSzFG+qajMmpICZwVOsz+x2lbMkikdf adtRd0wJ3iUfedcqjkef6QRyov/iunFsZGGeBmF2bw+DbnNggsgZAs7sxqf0swBrQo/S mi9DkYp6qQQPivrTdMJWR8tyH+hOLa+s6KJfk=
Thanks Chad for your response. I did figure out what was wrong. I
had the setDestination value of null while computing the signature and
then it was getting populated by the Endpoint.setLocation. Now with
setDestination defined to the same value, the signature computes.

Thanks again,
Perry

On Sun, Jun 29, 2008 at 5:03 AM, Chad La Joie
<>
wrote:
> Simple sign does not sign the SAML, that, in theory, is why it's simpler.
> Take a look at the SAML SimpleSign spec to see what that code is doing.
>
> Perry Vessels wrote:
>>
>> Hi,
>>
>> I was attempting to reuse some of the code from
>> HTTPPostSimpleSignEncoderTest.java, but have the SAML response in the
>> post be signed. The code executes, but doesn't produce a digest value
>> or signature value within the SAMLResponse, although the
>> setOutboundSAMLMessageSigningCredential method does compute the value.
>> Below is the code for that portion and below that is the form post
>> that's produced.
>>
>> Thanks in advance,
>> Perry
>>
>>
>> public void httpResp(KeyPair kp) throws Exception {
>> builderFactory = Configuration.getBuilderFactory();
>> this.velocitySetUp();
>>
>> SAMLObjectBuilder<StatusCode> statusCodeBuilder =
>> (SAMLObjectBuilder<StatusCode>) builderFactory
>> .getBuilder(StatusCode.DEFAULT_ELEMENT_NAME);
>> StatusCode statusCode = statusCodeBuilder.buildObject();
>> statusCode.setValue(StatusCode.SUCCESS_URI);
>>
>> SAMLObjectBuilder<Status> statusBuilder =
>> (SAMLObjectBuilder<Status>) builderFactory
>> .getBuilder(Status.DEFAULT_ELEMENT_NAME);
>> Status responseStatus = statusBuilder.buildObject();
>> responseStatus.setStatusCode(statusCode);
>>
>> SAMLObjectBuilder<Response> responseBuilder =
>> (SAMLObjectBuilder<Response>) builderFactory
>> .getBuilder(Response.DEFAULT_ELEMENT_NAME);
>> Response samlMessage = responseBuilder.buildObject();
>>
>> samlMessage.setDestination(null);
>> samlMessage.setID("foo");
>> samlMessage.setVersion(SAMLVersion.VERSION_20);
>> samlMessage.setIssueInstant(now);
>> // samlMessage.setIssuer(makeIssuer());
>> samlMessage.setStatus(responseStatus);
>> // samlMessage.getAssertions().add(assertion);
>>
>> Credential signingCred =
>> SecurityHelper.getSimpleCredential(kp.getPublic(), kp.getPrivate());
>>
>> Signature signature = (Signature)
>> buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
>>
>>
>> signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
>>
>>
>> signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
>> signature.setSigningCredential(signingCred);
>>
>> samlMessage.setSignature(signature);
>>
>> // Get the marshaller factory
>> MarshallerFactory marshallerFactory =
>> Configuration.getMarshallerFactory();
>> Marshaller marshaller =
>> marshallerFactory.getMarshaller(samlMessage);
>> marshaller.marshall(samlMessage);
>> Signer.signObject(signature);
>>
>> SAMLObjectBuilder<Endpoint> endpointBuilder =
>> (SAMLObjectBuilder<Endpoint>) builderFactory
>> .getBuilder(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
>> Endpoint samlEndpoint = endpointBuilder.buildObject();
>> samlEndpoint.setLocation("http://example.org";);
>>
>> samlEndpoint.setResponseLocation("http://example.org/response";);
>>
>> MockHttpServletResponse response = new
>> MockHttpServletResponse();
>> HttpServletResponseAdapter outTransport = new
>> HttpServletResponseAdapter(response, false);
>>
>> BasicSAMLMessageContext messageContext = new
>> BasicSAMLMessageContext();
>> messageContext.setOutboundMessageTransport(outTransport);
>> messageContext.setPeerEntityEndpoint(samlEndpoint);
>> messageContext.setOutboundSAMLMessage(samlMessage);
>> messageContext.setRelayState("relay");
>>
>>
>> messageContext.setOutboundSAMLMessageSigningCredential(signingCred);
>>
>> HTTPPostSimpleSignEncoder encoder = new
>> HTTPPostSimpleSignEncoder(velocityEngine,
>>
>> "/resources/templates/saml2-post-simplesign-binding.vm");
>> encoder.encode(messageContext);
>>
>> System.out.println(response.getContentAsString());
>> }
>>
>>
>> <form action="http://example.org"; method="post">
>> <div>
>> <input type="hidden" name="RelayState" value="relay"/>
>>
>> <input type="hidden" name="SAMLResponse"
>>
>> value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHA6Ly9leGFtcGxlLm9yZyIgSUQ9ImZvbyIgSXNzdWVJbnN0YW50PSIyMDA4LTA2LTI4VDE0OjU5OjQwLjE0MFoiIFZlcnNpb249IjIuMCI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQo8ZHM6U2lnbmVkSW5mbyB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQo8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiLz4NCjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIi8+DQo8ZHM6UmVmZXJlbmNlIFVSST0iI2ZvbyIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KPGRzOlRyYW5zZm9ybXMgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KPGRzOlRyYW5zZm9ybSBBbGdvcml0a
>
> G09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyIvPg0KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9ImRzIHNhbWxwIi8+PC9kczpUcmFuc2Zvcm0+DQo8L2RzOlRyYW5zZm9ybXM+DQo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIi8+DQo8ZHM6RGlnZXN0VmFsdWUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiLz4NCjwvZHM6UmVmZXJlbmNlPg0KPC9kczpTaWduZWRJbmZvPg0KPGRzOlNpZ25hdHVyZVZhbHVlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIi8+DQo8L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ
> 1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiLz48L3NhbWxwOlN0YXR1cz48L3NhbWxwOlJlc3BvbnNlPg=="/>
>>
>> <input type="hidden" name="Signature"
>>
>> value="mZr/TdcoeoVbv1XcVnEUjHWGvjS1Y/3SdOJ6SG9Cbn7gbmji4OVA/4qCKHquvSGQMHm2oF2HxM9wQYYMwQ7YTk66Vz0VfDLbGi506SaeDKSlJWrxqdCMJqquHLsXn8XUnuU4ykw1JgQwhs1XD9w7JYOTKAo8RNhrBAb0oXV8Q3E="/>
>> <input type="hidden" name="SigAlg"
>> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <input type="hidden" name="KeyInfo"
>>
>> value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48ZHM6S2V5SW5mbyB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOktleVZhbHVlPjxkczpSU0FLZXlWYWx1ZT48ZHM6TW9kdWx1cz4wVGFySm1KZ2VoTkVOVGkwNnREQVRwUFVDVGJuR3czOWdycWpNQi9rbGtxK2sydGU2WmZTQjMyWDR6V3dhRnhkbXc5UmlXalV3QjZKDQpIdEFKQ0ROaVdEN093REdSTHJwaWdqUVc0LzgxL2R1WXFBM2JjOFF1MkwvUlV3dXNuM3JZL01qM0VwemdIQTRqSGhOV1NqWmxCSENkDQpUcC8yMHYxckdUNEdVN0xqSCtrPTwvZHM6TW9kdWx1cz48ZHM6RXhwb25lbnQ+QVFBQjwvZHM6RXhwb25lbnQ+PC9kczpSU0FLZXlWYWx1ZT48L2RzOktleVZhbHVlPjwvZHM6S2V5SW5mbz4="/>
>> </div>
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Net Services
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> ,
> http://www.switch.ch
>
>

Archive powered by MHonArc 2.6.16.

Top of Page