OpenSAML user discussion

[Brent Putman <>]

murali mca wrote:

>
> 09-Oct-2009 19:53:11 org.apache.xml.security.signature.Reference verify
> WARNING: Verification failed for URI "#123"
> org.opensaml.xml.validation.ValidationException: Signature did not
> validate against the credential's key
>   
>  
>

> I am sure I am using correct key for validation.
>


Well, if you're really, really sure you are using the right validation
key, then...



> I have no clue about this error, can  some one help me ?
>

The mostly likely possibility is that the signature really is invalid,
due to the signed document being modified sometime after it was signed. 
Any change to the document, even whitespace addition (e.g. pretty print
formatting, etc) will render the signature invalid. This could be
happening on either signer's end, or the verifier's end.  If you're
doing both, you should check both sides.

It's also possible there could be a bug or incompatibility somewhere
(esp. if you're using different libraries are being used for the signing
and verification), but you should rule out the invalid signature
possibility first.  If you're using OpenSAML for both the signing and
validation, and with the same version of Java, then this is almost
certainly not the case.




> Enabled the "debug" level in logg4j.properties file, but could not see the
> debug statements of the SAML API classes in the output. Any idea how
> can I see the debug messages?
>


OpenSAML doesn't use log4j, at least natively.  It uses a logging facade
called slf4j.  See here for further info.

https://spaces.internet2.edu/display/OpenSAML/OSTwoUsrManJavaBB

You must have installed and bound some logging framework to slf4j,
otherwise I believe you'd be getting runtime errors.  Whatever logging
implementation you bind to slf4j, that's what you should configure.