Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes


Chronological Thread 
  • From: "Pantvaidya, Vishwajit" <>
  • To: Scott Cantor <>, "" <>
  • Subject: RE: [OpenSAML] RE: SAML1.1 response signature validation fails but assertion signature validation passes
  • Date: Tue, 18 Nov 2008 10:56:18 -0800
  • Accept-language: en-US
  • Acceptlanguage: en-US

> -----Original Message-----
> From: Scott Cantor
> [mailto:]
>
> > [Pantvaidya, Vishwajit] Using OxygenXML, signature verification of the
> > following response failed.
> > Then I tried to verify the assertion signature using Oxygen - since that
> > part worked for me in the opensaml java code. So I removed the outer
> > response and saml status elements, leaving just the assertion. I did not
> > change any content within the assertion element - so this should not
> > invalidate the original signature right? But even the assertion
> signature
> > verification failed with OxygenXML. So is the OxygenXML saml response
> > verification failure meaningful?
>
> It means you changed the XML.
>
> > The saml response I used is posted herewith:
>
> That's pretty printed. There's no way that will work. You understand that
> a
> single additional or missing whitespace character will break the
> signature,
> right?
>
> -- Scott
>
[Pantvaidya, Vishwajit] Yes, I understand - but for some reason I kept on
believing that only whitespace changes inside xml element data bytes would
matter. But I guess the whole assertion xml is data which is signed. So even
non data whitespace such as "<saml:Subject> <saml:NameIdentifier>" will
matter. Also, CR/LF's added by editors would also figure as changes. I will
have another go at this Oxygen verification.

Parallely, I have also installed and build a local Shibboleth IdP. I am
skipping the Apache web server installation and using Tomcat's default http
server as this is only for testing and my Sp and IdP will be on same machine.

The Shibboleth IdP install doc mentions an SSL cert requirement. For above
reasons, I don't care about ssl now - do I still need the ssl cert?


- Vish.




Archive powered by MHonArc 2.6.16.

Top of Page