mace-opensaml-users - SAML1.1 response signature validation fails but assertion signature validation passes
Subject: OpenSAML user discussion
List archive
SAML1.1 response signature validation fails but assertion signature validation passes
Chronological Thread
- From: "Pantvaidya, Vishwajit" <>
- To: "''" <>
- Subject: SAML1.1 response signature validation fails but assertion signature validation passes
- Date: Thu, 13 Nov 2008 15:37:32 -0800
- Accept-language: en-US
- Acceptlanguage: en-US
I am migrating to OpenSAML2 but using SAML1.1. My older code that validates
response and assertion signature works fine. After migration to opensaml2,
the response signature validation fails with following messages:
Verification failed for URI "#iZyjE4YiG5rffHh4sAPOA2_esHbM"
Verification failed for URI "#iZyjE4YiG5rffHh4sAPOA2_esHbM"
Expected Digest: lsb/Kk63UWdraorfpgMGxu4yCak=
Expected Digest: lsb/Kk63UWdraorfpgMGxu4yCak=
Actual Digest: hHxv7IY9MpthqXE5gcWk9WrXaUA=
Actual Digest: hHxv7IY9MpthqXE5gcWk9WrXaUA=
But assertion signature validation passes. What could the reason be? I do not
believe that my response is getting modified after receipt.
My code snippet is as follows:
BasicCredential pubCredential = new BasicCredential();
pubCredential.setPublicKey(<PubkeySpecifiedHere>);
SignatureValidator signatureValidator = new SignatureValidator(pubCredential);
MessageContext messageContext = new BasicSAMLMessageContext();
messageContext.setInboundMessageTransport(new
HttpServletRequestAdapter(request));
samlMessageDecoder.decode(messageContext);
Response samlResponse = (Response)messageContext.getInboundMessage();
Signature responseSignature = samlResponse.getSignature();
if (respSignReqd || responseSignature!=null) {
samlSignatureProfileValidator.validate(responseSignature);
signatureValidator.validate(responseSignature);
}
List<Assertion> assertions = samlResponse.getAssertions();
Assertion assertion = assertions.get(0);
Signature assertionSignature = assertion.getSignature();
if (assSignReqd || assertionSignature!=null) {
samlSignatureProfileValidator.validate(assertionSignature);
signatureValidator.validate(assertionSignature);
}
My SAML response xml is as follows:
<samlp:Response Recipient="http://localhost:8080/login.jsp"
IssueInstant="2008-11-13T22:53:57.303Z" MinorVersion="1" MajorVersion="1"
ResponseID="iZyjE4YiG5rffHh4sAPOA2_esHbM"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#iZyjE4YiG5rffHh4sAPOA2_esHbM">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>lsb/Kk63UWdraorfpgMGxu4yCak=</ds:DigestValue>`
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>juRR8asYm5YZf5mo0ApkgrHu0J1MNkfMgR9whs7f9Q4dQ8fbYkoJeg==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"/>
</samlp:Status>
<saml:Assertion Issuer="http://www.sourceid.org/"
IssueInstant="2008-11-13T22:53:57.178Z"
AssertionID="imPBV6NetW941_bKKxcSqcSxuiiA" MinorVersion="1" MajorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotOnOrAfter="2008-11-13T22:58:57.178Z"
NotBefore="2008-11-13T22:48:57.178Z"/>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2008-11-13T22:53:57.162Z">
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeNamespace="ns" AttributeName="email">
<saml:AttributeValue>vpantvai</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#imPBV6NetW941_bKKxcSqcSxuiiA">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>zh8Myaf8isic3NmtyJirc+vMb6Y=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hPPNiNhaV14esU+BXO03CqadWbcW9SlmWjy8xyc3unMREEPGoqtcTQ==</ds:SignatureValue>
</ds:Signature>
</saml:Assertion>
</samlp:Response>
- SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/13/2008
- RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/13/2008
- Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Brent Putman, 11/14/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/14/2008
- Message not available
- Message not available
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Scott Cantor, 11/17/2008
- Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Brent Putman, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Scott Cantor, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Scott Cantor, 11/17/2008
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/17/2008
- Message not available
- Message not available
- RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/14/2008
- Re: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes, Brent Putman, 11/14/2008
- RE: SAML1.1 response signature validation fails but assertion signature validation passes, Pantvaidya, Vishwajit, 11/13/2008
Archive powered by MHonArc 2.6.16.