Skip to Content.
Sympa Menu

mace-opensaml-users - [OpenSAML] How to create a Signed SAML response with default namespace on the root element of each subtree to eliminate the namespace prefix.

Subject: OpenSAML user discussion

List archive

[OpenSAML] How to create a Signed SAML response with default namespace on the root element of each subtree to eliminate the namespace prefix.


Chronological Thread 
  • From: Sunil Parolia <>
  • To: "" <>
  • Subject: [OpenSAML] How to create a Signed SAML response with default namespace on the root element of each subtree to eliminate the namespace prefix.
  • Date: Sun, 27 Jun 2010 02:07:28 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

Hi,
 
I want to create a signed saml response ( whole SAML response signed) with default namespace on the root  element of each subtree. So i can use that default namespace on those elements  to eliminate the namespace prefix.  We are using openSAML 2.2.3 for creating response and signing.
 
As the relying party is using .net client to verify the response, its always failing. After lots of googling we found that there is known issue with the 1.1 .net framework (http://support.microsoft.com/kb/888999) where it is not able to successfully verify the sign.
 
The sample response it is able to verify is:
 
<?xml version="1.0" encoding="utf-8"?>
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="x" IssueInstant="x" Version="2.0">
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>xx</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>cxx</SignatureValue>
  </Signature>
  <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="x" IssueInstant="x" Version="2.0">
    <Issuer>fasdfsdfads</Issuer>
    <
other elements    >
</Assertion>
</Response>
 
But it is not able to verify is :
 
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="xx" ID="_xx" <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_d00b4cd15053788ba153e1cf2ef72f7e" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">x</ds:SignatureValue>
</ds:Signature>
 
Any help is highly appreciated. Im unable to find out the reason of failure.
 
Thanks,
Sunil P
 


  • [OpenSAML] How to create a Signed SAML response with default namespace on the root element of each subtree to eliminate the namespace prefix., Sunil Parolia, 06/27/2010

Archive powered by MHonArc 2.6.16.

Top of Page