Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Cannot validate signature

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Cannot validate signature


Chronological Thread 
  • From: Brent Putman <>
  • To:
  • Subject: Re: [OpenSAML] Cannot validate signature
  • Date: Tue, 09 Feb 2010 20:50:15 -0500



On 2/9/2010 7:49 PM, Guzman Llambias wrote:
> I'm trying to create a signed saml assertion but when I send it to another
> application, an error occurs saying it cannot validate the signature. So,
> maybe I'm missing or have something wrong in my code. 0
>


Your code looks fine to me as far as the signing goes. If the recipient
says that validation fails, then most likely the signed structure is
getting corrupted sometime after you sign it and before it is validated,
for example in how you are serializing it and sending it, or how the
recipient is deserializing and processing it. So check that first.
Another possibility of course is that there is a bug, esp. on the
validation side.


>
>
>
> System.out.println("Signed AMUserAssertion (SAML
> 1):\n");
> System.out.println(XMLHelper.prettyPrintXML(element));
>


One common source of validation failures is reformatting (e.g. pretty
printing) of the message after it is signed and before validation. If
the code above is just for your logging/diagnostic purposes, and what
you are actually sending is just the plain serialized Assertion, then
that's fine. If you are capturing that System.out output and
sending/validating that somehow, or if you are otherwise pretty-print
formatting the message you actual send, that's definitely a problem.
Same on the recipient side, if they reformat as a part of deserialization.

--Brent





Archive powered by MHonArc 2.6.16.

Top of Page