OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

> -----Original Message-----
> From: Scott Cantor 
> [mailto:]
>
> > [Pantvaidya, Vishwajit] Using OxygenXML, signature verification of the
> > following response failed.
> > Then I tried to verify the assertion signature using Oxygen - since that
> > part worked for me in the opensaml java code. So I removed the outer
> > response and saml status elements, leaving just the assertion. I did not
> > change any content within the assertion element - so this should not
> > invalidate the original signature right? But even the assertion
> signature
> > verification failed with OxygenXML. So is the OxygenXML saml response
> > verification failure meaningful?
>
> It means you changed the XML.
>
> > The saml response I used is posted herewith:
>
> That's pretty printed. There's no way that will work. You understand that
> a
> single additional or missing whitespace character will break the
> signature,
> right?
>
> -- Scott
>
[Pantvaidya, Vishwajit] Yes, I understand - but for some reason I kept on 
believing that only whitespace changes inside xml element data bytes would 
matter. But I guess the whole assertion xml is data which is signed. So even 
non data whitespace such as "<saml:Subject> <saml:NameIdentifier>" will 
matter. Also, CR/LF's added by editors would also figure as changes. I will 
have another go at this Oxygen verification.

Parallely, I have also installed and build a local Shibboleth IdP. I am 
skipping the Apache web server installation and using Tomcat's default http 
server as this is only for testing and my Sp and IdP will be on same machine.

The Shibboleth IdP install doc mentions an SSL cert requirement. For above 
reasons, I don't care about ssl now - do I still need the ssl cert?


- Vish.