Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes


Chronological Thread 
  • From: "Pantvaidya, Vishwajit" <>
  • To: "" <>
  • Subject: RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
  • Date: Mon, 17 Nov 2008 16:05:49 -0800
  • Accept-language: en-US
  • Acceptlanguage: en-US

From: Brent Putman
[mailto:]
Sent: Monday, November 17, 2008 1:20 PM
I unfortunately didn't get your attachment - zip file attachments are
stripped by our email system due to security office policies. (don't even
ask....)

[Pantvaidya, Vishwajit] Trying with pasting the output inline here...

SAML Response from IdP log:

<Response Recipient="http://localhost:8080/login.jsp";
IssueInstant="2008-11-17T23:21:40.535Z" MinorVersion="1" MajorVersion="1"
ResponseID="ir0hM4rkvlPz461UB7mwyWApvjW8"
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#ir0hM4rkvlPz461UB7mwyWApvjW8">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>nQ6ayPwGYXPuwCpgF7lUQOOuNqQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

<ds:SignatureValue>lcBNBwNbDumSAbhNdgADz62pu1ouiYzGAEqh/zHJZ+VaC/a6B4D6HA==</ds:SignatureValue>
</ds:Signature>
<Status>
<samlp:StatusCode Value="samlp:Success"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"/>
</Status>
<saml:Assertion Issuer="http://www.sourceid.org/";
IssueInstant="2008-11-17T23:21:39.801Z"
AssertionID="iHiR8GEoO4uPtv4xPQ1XbhD16fPY" MinorVersion="1" MajorVersion="1">
<saml:Conditions NotOnOrAfter="2008-11-17T23:26:39.801Z"
NotBefore="2008-11-17T23:16:39.801Z"/>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2008-11-17T23:21:39.723Z">
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeNamespace="ns" AttributeName="email">
<saml:AttributeValue>vpantvai</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#iHiR8GEoO4uPtv4xPQ1XbhD16fPY">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>gGKoDZteN0tzY5eN9XGnsUZT5sU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

<ds:SignatureValue>jxISd5qa7x58l4qlxylRLIj2cfxmpqgD+IkZ190ryAozL2opWgLbgw==</ds:SignatureValue>
</ds:Signature>
</saml:Assertion>
</Response>


Digester messages on my SP side:

[17 Nov 2008 15:21:44,848][none][VPANTVAIDYA-T61] DEBUG
[DigesterOutputStream] Pre-digested input:
[17 Nov 2008 15:21:44,848][none][VPANTVAIDYA-T61] DEBUG
[DigesterOutputStream] Pre-digested input:
[17 Nov 2008 15:21:44,848][none][VPANTVAIDYA-T61] DEBUG
[DigesterOutputStream] <samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2008-11-17T23:21:40.535Z" MajorVersion="1" MinorVersion="1"
Recipient="http://localhost:8080/login.jsp";
ResponseID="ir0hM4rkvlPz461UB7mwyWApvjW8"><samlp:Status><samlp:StatusCode
Value="samlp:Success"></samlp:StatusCode></samlp:Status><saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="iHiR8GEoO4uPtv4xPQ1XbhD16fPY"
IssueInstant="2008-11-17T23:21:39.801Z" Issuer="http://www.sourceid.org/";
MajorVersion="1" MinorVersion="1"><saml:Conditions
NotBefore="2008-11-17T23:16:39.801Z"
NotOnOrAfter="2008-11-17T23:26:39.801Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2008-11-17T23:21:39.723Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier>vpantvai</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier>vpantvai</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute
AttributeName="email"
AttributeNamespace="ns"><saml:AttributeValue>vpantvai</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#iHiR8GEoO4uPtv4xPQ1XbhD16fPY">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>gGKoDZteN0tzY5eN9XGnsUZT5sU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jxISd5qa7x58l4qlxylRLIj2cfxmpqgD+IkZ190ryAozL2opWgLbgw==</ds:SignatureValue>
<ds:KeyInfo>
</ds:KeyInfo>
</ds:Signature></saml:Assertion></samlp:Response>
[17 Nov 2008 15:21:44,848][none][VPANTVAIDYA-T61] DEBUG
[DigesterOutputStream] <samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2008-11-17T23:21:40.535Z" MajorVersion="1" MinorVersion="1"
Recipient="http://localhost:8080/login.jsp";
ResponseID="ir0hM4rkvlPz461UB7mwyWApvjW8"><samlp:Status><samlp:StatusCode
Value="samlp:Success"></samlp:StatusCode></samlp:Status><saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="iHiR8GEoO4uPtv4xPQ1XbhD16fPY"
IssueInstant="2008-11-17T23:21:39.801Z" Issuer="http://www.sourceid.org/";
MajorVersion="1" MinorVersion="1"><saml:Conditions
NotBefore="2008-11-17T23:16:39.801Z"
NotOnOrAfter="2008-11-17T23:26:39.801Z"></saml:Conditions><saml:AuthenticationStatement
AuthenticationInstant="2008-11-17T23:21:39.723Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier>vpantvai</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier>vpantvai</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute
AttributeName="email"
AttributeNamespace="ns"><saml:AttributeValue>vpantvai</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#iHiR8GEoO4uPtv4xPQ1XbhD16fPY">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>gGKoDZteN0tzY5eN9XGnsUZT5sU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>jxISd5qa7x58l4qlxylRLIj2cfxmpqgD+IkZ190ryAozL2opWgLbgw==</ds:SignatureValue>
<ds:KeyInfo>
</ds:KeyInfo>
</ds:Signature></saml:Assertion></samlp:Response>
[17 Nov 2008 15:21:44,848][none][VPANTVAIDYA-T61] WARN [Reference]
Verification failed for URI "#ir0hM4rkvlPz461UB7mwyWApvjW8"
[17 Nov 2008 15:21:44,848] [http-8080-Processor4] WARN [Reference]
Verification failed for URI "#ir0hM4rkvlPz461UB7mwyWApvjW8"
[17 Nov 2008 15:21:44,848][none][VPANTVAIDYA-T61] WARN [Reference] Expected
Digest: nQ6ayPwGYXPuwCpgF7lUQOOuNqQ=
[17 Nov 2008 15:21:44,848] [http-8080-Processor4] WARN [Reference] Expected
Digest: nQ6ayPwGYXPuwCpgF7lUQOOuNqQ=
[17 Nov 2008 15:21:44,848][none][VPANTVAIDYA-T61] WARN [Reference] Actual
Digest: qFtu6GS721zaywX4+nJRk4076uE=
[17 Nov 2008 15:21:44,848] [http-8080-Processor4] WARN [Reference] Actual
Digest: qFtu6GS721zaywX4+nJRk4076uE=



Archive powered by MHonArc 2.6.16.

Top of Page