Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] error validating signature on SAML2 EncryptedAssertions decrypted with OpenSAML

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] error validating signature on SAML2 EncryptedAssertions decrypted with OpenSAML


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [OpenSAML] error validating signature on SAML2 EncryptedAssertions decrypted with OpenSAML
  • Date: Wed, 19 Nov 2008 19:57:52 -0500


Scott Cantor wrote: 
Some cases however require the decrypted Element to exist as part of a
Document's tree, e.g. ID resolution.  So the Decrypter has an option to do
that.  It's turned off by default, b/c it's expensive relatively speaking
and most cases probably don't require.  But signature verification on the
decrypted Assertion would.
    

Why is it expensive? I thought Java had adoptNode implemented.

Yes, it does have adoptNode and that's what we use.  Also have to create a new Document and root the tree in it.  It may not be expensive in nominal terms, not sure, don't have metrics, but my sense has always been that some of that is expensive.  But it's certainly more expensive in relative terms than doing, well, nothing, which is what you want in many cases.


But like I said in the other message, we could do something vis-a-vis the common SAML case of decrypting signed Assertions.  I think I'd probably lean towards overloaded methods in the SAML Decrypter that takes an additional boolean.



Archive powered by MHonArc 2.6.16.

Top of Page