Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes


Chronological Thread 
  • From: "Pantvaidya, Vishwajit" <>
  • To: "" <>, Scott Cantor <>
  • Subject: RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
  • Date: Tue, 18 Nov 2008 09:36:54 -0800
  • Accept-language: en-US
  • Acceptlanguage: en-US
> > You can easily run a sample message through Oxygen as a test, it has a
> > signature validator in it. If that works, either your code is buggy or
> the
> > library is. If not, the sender is buggy.
> >
> > -- Scott
> >
> [Pantvaidya, Vishwajit] Oh didn't know that. Thanks Scott. I do have
> Oxygen 7.2. Will try with that.


[Pantvaidya, Vishwajit] Using OxygenXML, signature verification of the
following response failed.
Then I tried to verify the assertion signature using Oxygen - since that part
worked for me in the opensaml java code. So I removed the outer response and
saml status elements, leaving just the assertion. I did not change any
content within the assertion element - so this should not invalidate the
original signature right? But even the assertion signature verification
failed with OxygenXML. So is the OxygenXML saml response verification failure
meaningful?
The saml response I used is posted herewith:

<samlp:Response Recipient="http://localhost:8080/login.jsp";
IssueInstant="2008-11-18T02:29:12.902Z" MinorVersion="1" MajorVersion="1"
ResponseID="i64IVQAZ_9d64cPxlBEzUmVB1RjY"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#i64IVQAZ_9d64cPxlBEzUmVB1RjY">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>1vJr3pzWDhOWTYwD5IdYRMO/plc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

<ds:SignatureValue>i1VT1cfl4fGR2NklyXDt1QwLeTWBDH+I56EtjZWbhd2dV9hm/CcQ/Q==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"/>
</samlp:Status>
<saml:Assertion Issuer="http://www.sourceid.org/";
IssueInstant="2008-11-18T02:29:12.027Z"
AssertionID="iqwAzv1BIZjNOuesAXjCy_2a7uwQ" MinorVersion="1" MajorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotOnOrAfter="2008-11-18T02:34:12.027Z"
NotBefore="2008-11-18T02:24:12.027Z"/>
<saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2008-11-18T02:29:11.949Z">
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier>vpantvai</saml:NameIdentifier>
<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeNamespace="ns" AttributeName="email">
<saml:AttributeValue>vpantvai</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#iqwAzv1BIZjNOuesAXjCy_2a7uwQ">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>JncIj42M6KDjVtQc6s/9DPKBYJ8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

<ds:SignatureValue>PTdKkEBcidR5KzgrYVrSJsTSfvkLsCd6Zp/SnggSrLOMwD0gJdUzQQ==</ds:SignatureValue>
</ds:Signature>
</saml:Assertion>
</samlp:Response>

Archive powered by MHonArc 2.6.16.

Top of Page