OpenSAML user discussion

["Scott Cantor" <>]

> I've got a SAML response which has a signed Assertion in it, and the
> corresponding SAML2 metadata containing the X509 certificate for the
public
> key.

You can use a TrustEngine for that, either directly or via the
SecurityPolicy code in OpenSAML. See the XMLSignature policy rule for an
example of that.
 
> I've written code that attempts to verify the signature in the Assertion
> with the public key taken from the metadata, here's a snippet:

Looks ok to me.

> As far as I know, the public key from the metadata and the signature are
> correct and correspond to each other, but they are generated by a 3rd
party
> product, so I can't be absolutely sure.
> 
> Any idea how to go about debugging this?

https://spaces.internet2.edu/display/SHIB2/Troubleshooting+Signatures

The unreleased version of xml-security (trunk) contains a feature to do
logging of digest and SignedInfo octets during signing or verification via
an environment variable.

If your message contains a KeyInfo itself, my suggestion, given that your
code looks ok, is to cut the metadata out of it for the moment, and try
resolving the KeyInfo of the Signature into a credential and try that. If
that fails, it's probably a problem in the XML.

-- Scott