OpenSAML user discussion

[Brent Putman <>]

Hubert Le Van Gong wrote:
> Thanks Brent,
>
> After double checking I found that I was performing a validity check
> on the
> certificate used to sign the assertion. I removed it and it seems to
> be working
> fine now, at least when it comes to signing SAML assertions; 

Ok, good to know.

> I have to
> check this with non SAML classes like my EPRs. 

Ok.  Just pointing out in case it isn't obvious:  The mechanism that
you're implicitly using here is enveloped signature.  I'm assuming
enveloped is schema valid for the elements/classes you want to sign?  If
this EPR here is WS-Addressing EndpointReference, then I guess it is,
based on its extensible schema (wildcard child elements).  Just
something to be aware of.  OpenSAML also supports detached signatures
should you need to do that.


> As you mentioned I'll need
> to add a ContentReference to the signature too.
> I presume a URIContentReference set to "" will point at the root of
> the EPR, correct?

Based on my understanding, no.  Empty "" URI means (from the Signature
spec):

URI=""
    Identifies the node-set (minus any comment nodes) of the XML
resource containing the signature

Which means the entire Document in which the EPR would be contained. 
Very likely may not be what you want: You sign it stand-alone, and it
verifies.  Then you embed it in another document, and the signature breaks.

You may instead want to use the DocumentInternalIDContentReference. 
That assumes that the element(s) you want to sign support an ID-typed
attribute, which can be used as the target of a document fragment
reference.  EPR would seem to, since it's also extensible via wildcard
attributes.  Again, it's a question of schema validity.


--Brent