mace-opensaml-users - Re: [OpenSAML] Cannot validate signature
Subject: OpenSAML user discussion
List archive
- From: Guzman Llambias <>
- To:
- Subject: Re: [OpenSAML] Cannot validate signature
- Date: Fri, 12 Feb 2010 15:09:55 -0200 (UYST)
Thanks for the answer, Brent! Unfortunately, It wasn't cause of the pretty
printing...
Something I found strange is that when I serialize it to a file, the saml is
like this one. Is this ok? Shouldn't be in one line?
Thanks again!
Guzman
<?xml version="1.0" encoding="UTF-8"?><saml1:Assertion
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_6a44ae30d9a7ea65cc313ec28d70a7f4"
IssueInstant="2010-02-12T17:08:12.328Z" Issuer="Agesic" MajorVersion="1"
MinorVersion="0"><saml1:Conditions NotBefore="2010-02-12T17:08:12.203Z"
NotOnOrAfter="2010-02-12T19:08:12.203Z"/><saml1:AuthenticationStatement
AuthenticationInstant="2010-02-12T17:08:12.140Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml1:Subject><saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Doctor</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Doctor</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute
AttributeName="User" AttributeNamespace="urn:nac"><saml1:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Juan</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_6a44ae30d9a7ea65cc313ec28d70a7f4">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml1 xs
xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4Jz3RwGDb3agfz9JjIxFg81UrWM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
vT328LzyyHOj6w6vm5Ul6joTPcOrhGlElFP1h5wOVW/a1ZnR/nJMj2F9HG/PubFFc+ILEQEV2ICn
r3uSv7IYvSQ/k9E3FUQ3Jp8bmEjnkgUicyajTQI6pF4qCEqGEz9FlsubxSHz3z+f5TQFQRHF6iql
MgLrLXKwnVHNMqvrSw4=
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEZjCCA06gAwIBAgIKc6CfxQAAAAAABzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpIR1Rp
dm9saUNBMB4XDTEwMDIwNDE1NTg1OVoXDTExMDIwNDE2MDg1OVowgZUxCzAJBgNVBAYTAlVZMRMw
EQYDVQQIEwpNb250ZXZpZGVvMRMwEQYDVQQHEwpNb250ZXZpZGVvMQ8wDQYDVQQKEwZBR0VTSUMx
EzARBgNVBAsTCk1vbnRldmlkZW8xFDASBgNVBAMMC3Rlc3RfYWdlc2ljMSAwHgYJKoZIhvcNAQkB
FhFzb3BvcnRlQGhnLmNvbS51eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzUmqsDlV9IVA
rwLP5UspvgghMfa26ToSPPBW1t/Ms5bDHuz2JddxlhxxtyA7UmS+EV1XnzOe08YPMaaDafnUZxgw
CAVihBKNtvR/hbTkXmnJBYe+QE457v2bi30qfPca85LvPn28+BUV8M/gPbogJWuENgLwuv06lHTK
EsTSXo8CAwEAAaOCAbkwggG1MA4GA1UdDwEB/wQEAwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqG
SIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE
FJRkGtelQtewyzB9tLsXUHRx936tMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFHe9
TCSHdS1t+qekHJJe/3Sanug6MGsGA1UdHwRkMGIwYKBeoFyGK2h0dHA6Ly9oZ3Rpdm9saWNhL0Nl
cnRFbnJvbGwvSEdUaXZvbGlDQS5jcmyGLWZpbGU6Ly9cXGhndGl2b2xpY2FcQ2VydEVucm9sbFxI
R1Rpdm9saUNBLmNybDCBmgYIKwYBBQUHAQEEgY0wgYowQgYIKwYBBQUHMAKGNmh0dHA6Ly9oZ3Rp
dm9saWNhL0NlcnRFbnJvbGwvaGd0aXZvbGljYV9IR1Rpdm9saUNBLmNydDBEBggrBgEFBQcwAoY4
ZmlsZTovL1xcaGd0aXZvbGljYVxDZXJ0RW5yb2xsXGhndGl2b2xpY2FfSEdUaXZvbGlDQS5jcnQw
DQYJKoZIhvcNAQEFBQADggEBAIoWS9snbE5tRdGAeJSow9eVAQjCTeiTRVMvxnBDyG065rzQ6qp3
XdZ7dsvoXNWcXmyUnY0WYUAs0g8H78Fd1KlHnxnxoIMeg+7VqAFRbsaZ80qV/LJ5HLHYy5iS1c9d
ieYRazMVkw5GzhQ5jsORYspevsp2l82/XqRE1eu+hUdQsErm1ZbX6+L2Wp55KGV6PM+TGu4hhDwE
B8UZZvHHfrWD8AKURv2BRihE1YjX2CAfAWFL2XWjWt7ofoe72Gip0BuDbsPvQDgUxiFOWL8/oAPs
4dm9CucJ2JgYoLCEdVZ3sywgu1JwlnCpJU2BDENocYSV6X30Xnc8yNY9Tev8oF4=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml1:Assertion>
----- Mensaje original -----
De: "Brent Putman"
<>
Para:
Enviados: Martes, 9 de Febrero 2010 23:50:15 GMT -03:00 Montevideo
Asunto: Re: [OpenSAML] Cannot validate signature
On 2/9/2010 7:49 PM, Guzman Llambias wrote:
> I'm trying to create a signed saml assertion but when I send it to another
> application, an error occurs saying it cannot validate the signature. So,
> maybe I'm missing or have something wrong in my code. 0
>
Your code looks fine to me as far as the signing goes. If the recipient
says that validation fails, then most likely the signed structure is
getting corrupted sometime after you sign it and before it is validated,
for example in how you are serializing it and sending it, or how the
recipient is deserializing and processing it. So check that first.
Another possibility of course is that there is a bug, esp. on the
validation side.
>
>
>
> System.out.println("Signed AMUserAssertion (SAML
> 1):\n");
> System.out.println(XMLHelper.prettyPrintXML(element));
>
One common source of validation failures is reformatting (e.g. pretty
printing) of the message after it is signed and before validation. If
the code above is just for your logging/diagnostic purposes, and what
you are actually sending is just the plain serialized Assertion, then
that's fine. If you are capturing that System.out output and
sending/validating that somehow, or if you are otherwise pretty-print
formatting the message you actual send, that's definitely a problem.
Same on the recipient side, if they reformat as a part of deserialization.
--Brent
- Re: [OpenSAML] Cannot validate signature, Guzman Llambias, 02/12/2010
- RE: [OpenSAML] Cannot validate signature, Scott Cantor, 02/12/2010
- <Possible follow-up(s)>
- Re: [OpenSAML] Cannot validate signature, Guzman Llambias, 02/12/2010
- RE: [OpenSAML] Cannot validate signature, Scott Cantor, 02/12/2010
- Re: [OpenSAML] Cannot validate signature, Guzman Llambias, 02/12/2010
- RE: [OpenSAML] Cannot validate signature, Scott Cantor, 02/12/2010
- Remove <?xml version="1.0" encoding="UTF-8"?>, Guzman Llambias, 02/24/2010
- Re: [OpenSAML] Remove <?xml version="1.0" encoding="UTF-8"?>, Chad La Joie, 02/24/2010
- Remove <?xml version="1.0" encoding="UTF-8"?>, Guzman Llambias, 02/24/2010
- RE: [OpenSAML] Cannot validate signature, Scott Cantor, 02/12/2010
- Re: [OpenSAML] Cannot validate signature, Guzman Llambias, 02/12/2010
- RE: [OpenSAML] Cannot validate signature, Scott Cantor, 02/12/2010
Archive powered by MHonArc 2.6.16.