OpenSAML user discussion

["Scott Cantor" <>]

Craig Setera wrote on 2009-06-15:
> I've managed to generate a SAML assertion using essentially the same code
> that our partner is using, written directly to the file system (Base64
> encoded).  This assertion fails to validate in OpenSAML (1.1 still) in the
> same way (failed digest).  Is there anything that I can/should look at
that
> might help me see the problem.

Yes, I'd run it through Oxygen directly and see what it's xmlsec verifier
says. The other thing you could try is running it through the samlsign test
program that's part of the 2.x C++ library. If you have a Red Hat machine
handy, you can install that in a couple of minutes.

If it works in something else, then you have a good idea that the problem is
with your code. If not, it's the signing half.

> With this generation in place, I can now access pre and post signed
> assertion XML and the same on the OpenSAML side.

What matters is not post-signing, but post-c14n for digest input. I believe
xmlsec will log that if you ask it to. But you need the digest input on the
signer's end to compare to anything on your side.

-- Scott