OpenSAML user discussion

[Guzman Llambias <>]

Thanks for the answer, Brent! Unfortunately, It wasn't cause of the pretty 
printing...

Something I found strange is that when I serialize it to a file, the saml is 
like this one. Is this ok? Shouldn't be in one line?

Thanks again!
Guzman

<?xml version="1.0" encoding="UTF-8"?><saml1:Assertion 
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" 
AssertionID="_6a44ae30d9a7ea65cc313ec28d70a7f4" 
IssueInstant="2010-02-12T17:08:12.328Z" Issuer="Agesic" MajorVersion="1" 
MinorVersion="0"><saml1:Conditions NotBefore="2010-02-12T17:08:12.203Z" 
NotOnOrAfter="2010-02-12T19:08:12.203Z"/><saml1:AuthenticationStatement 
AuthenticationInstant="2010-02-12T17:08:12.140Z" 
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml1:Subject><saml1:NameIdentifier
 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Doctor</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier
 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Doctor</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute
 AttributeName="User" AttributeNamespace="urn:nac"><saml1:AttributeValue 
xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xs:string">Juan</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement><ds:Signature
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_6a44ae30d9a7ea65cc313ec28d70a7f4">
<ds:Transforms>
<ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds saml1 xs 
xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4Jz3RwGDb3agfz9JjIxFg81UrWM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
vT328LzyyHOj6w6vm5Ul6joTPcOrhGlElFP1h5wOVW/a1ZnR/nJMj2F9HG/PubFFc+ILEQEV2ICn
r3uSv7IYvSQ/k9E3FUQ3Jp8bmEjnkgUicyajTQI6pF4qCEqGEz9FlsubxSHz3z+f5TQFQRHF6iql
MgLrLXKwnVHNMqvrSw4=
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEZjCCA06gAwIBAgIKc6CfxQAAAAAABzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpIR1Rp
dm9saUNBMB4XDTEwMDIwNDE1NTg1OVoXDTExMDIwNDE2MDg1OVowgZUxCzAJBgNVBAYTAlVZMRMw
EQYDVQQIEwpNb250ZXZpZGVvMRMwEQYDVQQHEwpNb250ZXZpZGVvMQ8wDQYDVQQKEwZBR0VTSUMx
EzARBgNVBAsTCk1vbnRldmlkZW8xFDASBgNVBAMMC3Rlc3RfYWdlc2ljMSAwHgYJKoZIhvcNAQkB
FhFzb3BvcnRlQGhnLmNvbS51eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzUmqsDlV9IVA
rwLP5UspvgghMfa26ToSPPBW1t/Ms5bDHuz2JddxlhxxtyA7UmS+EV1XnzOe08YPMaaDafnUZxgw
CAVihBKNtvR/hbTkXmnJBYe+QE457v2bi30qfPca85LvPn28+BUV8M/gPbogJWuENgLwuv06lHTK
EsTSXo8CAwEAAaOCAbkwggG1MA4GA1UdDwEB/wQEAwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqG
SIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE
FJRkGtelQtewyzB9tLsXUHRx936tMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFHe9
TCSHdS1t+qekHJJe/3Sanug6MGsGA1UdHwRkMGIwYKBeoFyGK2h0dHA6Ly9oZ3Rpdm9saWNhL0Nl
cnRFbnJvbGwvSEdUaXZvbGlDQS5jcmyGLWZpbGU6Ly9cXGhndGl2b2xpY2FcQ2VydEVucm9sbFxI
R1Rpdm9saUNBLmNybDCBmgYIKwYBBQUHAQEEgY0wgYowQgYIKwYBBQUHMAKGNmh0dHA6Ly9oZ3Rp
dm9saWNhL0NlcnRFbnJvbGwvaGd0aXZvbGljYV9IR1Rpdm9saUNBLmNydDBEBggrBgEFBQcwAoY4
ZmlsZTovL1xcaGd0aXZvbGljYVxDZXJ0RW5yb2xsXGhndGl2b2xpY2FfSEdUaXZvbGlDQS5jcnQw
DQYJKoZIhvcNAQEFBQADggEBAIoWS9snbE5tRdGAeJSow9eVAQjCTeiTRVMvxnBDyG065rzQ6qp3
XdZ7dsvoXNWcXmyUnY0WYUAs0g8H78Fd1KlHnxnxoIMeg+7VqAFRbsaZ80qV/LJ5HLHYy5iS1c9d
ieYRazMVkw5GzhQ5jsORYspevsp2l82/XqRE1eu+hUdQsErm1ZbX6+L2Wp55KGV6PM+TGu4hhDwE
B8UZZvHHfrWD8AKURv2BRihE1YjX2CAfAWFL2XWjWt7ofoe72Gip0BuDbsPvQDgUxiFOWL8/oAPs
4dm9CucJ2JgYoLCEdVZ3sywgu1JwlnCpJU2BDENocYSV6X30Xnc8yNY9Tev8oF4=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml1:Assertion>


----- Mensaje original -----
De: "Brent Putman" 
<>
Para: 

Enviados: Martes, 9 de Febrero 2010 23:50:15 GMT -03:00 Montevideo
Asunto: Re: [OpenSAML] Cannot validate signature



On 2/9/2010 7:49 PM, Guzman Llambias wrote:
> I'm trying to create a signed saml assertion but when I send it to another 
> application, an error occurs saying it cannot validate the signature. So, 
> maybe I'm missing or have something wrong in my code. 0
>   


Your code looks fine to me as far as the signing goes.  If the recipient
says that validation fails, then most likely the signed structure is
getting corrupted sometime after you sign it and before it is validated,
for example in how you are serializing it and sending it, or how the
recipient is deserializing and processing it.  So check that first. 
Another possibility of course is that there is a bug, esp. on the
validation side.


>
>
>                       
>                       System.out.println("Signed AMUserAssertion (SAML 
> 1):\n");
>                       System.out.println(XMLHelper.prettyPrintXML(element));
>   


One common source of validation failures is reformatting (e.g. pretty
printing) of the message after it is signed and before validation.  If
the code above is just for your logging/diagnostic purposes, and what
you are actually sending is just the plain serialized Assertion, then
that's fine.  If you are capturing that System.out output and
sending/validating that somehow, or if you are otherwise pretty-print
formatting the message you actual send, that's definitely a problem. 
Same on the recipient side, if they reformat as a part of deserialization.

--Brent