Skip to Content.
Sympa Menu

mace-opensaml-users - SAML1.1 response signature validation fails but assertion signature validation passes

Subject: OpenSAML user discussion

List archive

SAML1.1 response signature validation fails but assertion signature validation passes


Chronological Thread 
  • From: "Pantvaidya, Vishwajit" <>
  • To: "''" <>
  • Subject: SAML1.1 response signature validation fails but assertion signature validation passes
  • Date: Thu, 13 Nov 2008 15:37:32 -0800
  • Accept-language: en-US
  • Acceptlanguage: en-US
I am migrating to OpenSAML2 but using SAML1.1. My older code that validates
response and assertion signature works fine. After migration to opensaml2,
the response signature validation fails with following messages:

Verification failed for URI "#iZyjE4YiG5rffHh4sAPOA2_esHbM"
Verification failed for URI "#iZyjE4YiG5rffHh4sAPOA2_esHbM"
Expected Digest: lsb/Kk63UWdraorfpgMGxu4yCak=
Expected Digest: lsb/Kk63UWdraorfpgMGxu4yCak=
Actual Digest: hHxv7IY9MpthqXE5gcWk9WrXaUA=
Actual Digest: hHxv7IY9MpthqXE5gcWk9WrXaUA=

But assertion signature validation passes. What could the reason be? I do not
believe that my response is getting modified after receipt.

My code snippet is as follows:

BasicCredential pubCredential = new BasicCredential();
pubCredential.setPublicKey(<PubkeySpecifiedHere>);
SignatureValidator signatureValidator = new SignatureValidator(pubCredential);

MessageContext messageContext = new BasicSAMLMessageContext();
messageContext.setInboundMessageTransport(new
HttpServletRequestAdapter(request));
samlMessageDecoder.decode(messageContext);

Response samlResponse = (Response)messageContext.getInboundMessage();
Signature responseSignature = samlResponse.getSignature();
if (respSignReqd || responseSignature!=null) {
samlSignatureProfileValidator.validate(responseSignature);
signatureValidator.validate(responseSignature);
}
List<Assertion> assertions = samlResponse.getAssertions();
Assertion assertion = assertions.get(0);
Signature assertionSignature = assertion.getSignature();
if (assSignReqd || assertionSignature!=null) {
samlSignatureProfileValidator.validate(assertionSignature);
signatureValidator.validate(assertionSignature);
}

My SAML response xml is as follows:

<samlp:Response Recipient="http://localhost:8080/login.jsp";
IssueInstant="2008-11-13T22:53:57.303Z" MinorVersion="1" MajorVersion="1"
ResponseID="iZyjE4YiG5rffHh4sAPOA2_esHbM"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#iZyjE4YiG5rffHh4sAPOA2_esHbM">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>lsb/Kk63UWdraorfpgMGxu4yCak=</ds:DigestValue>`
</ds:Reference>
</ds:SignedInfo>

<ds:SignatureValue>juRR8asYm5YZf5mo0ApkgrHu0J1MNkfMgR9whs7f9Q4dQ8fbYkoJeg==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"/>
</samlp:Status>
<saml:Assertion Issuer="http://www.sourceid.org/";
IssueInstant="2008-11-13T22:53:57.178Z"
AssertionID="imPBV6NetW941_bKKxcSqcSxuiiA" MinorVersion="1" MajorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotOnOrAfter="2008-11-13T22:58:57.178Z"
NotBefore="2008-11-13T22:48:57.178Z"/>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2008-11-13T22:53:57.162Z">
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeNamespace="ns" AttributeName="email">
<saml:AttributeValue>vpantvai</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#imPBV6NetW941_bKKxcSqcSxuiiA">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>zh8Myaf8isic3NmtyJirc+vMb6Y=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

<ds:SignatureValue>hPPNiNhaV14esU+BXO03CqadWbcW9SlmWjy8xyc3unMREEPGoqtcTQ==</ds:SignatureValue>
</ds:Signature>
</saml:Assertion>
</samlp:Response>

Archive powered by MHonArc 2.6.16.

Top of Page