OpenSAML user discussion

[Chris Card <>]

>
> > I've got a SAML response which has a signed Assertion in it, and the
> > corresponding SAML2 metadata containing the X509 certificate for the
> public
> > key.
>
> You can use a TrustEngine for that, either directly or via the
> SecurityPolicy code in OpenSAML. See the XMLSignature policy rule for an
> example of that.
Thanks, I'll take a look.


> > Any idea how to go about debugging this?
>
> https://spaces.internet2.edu/display/SHIB2/Troubleshooting+Signatures
>
> The unreleased version of xml-security (trunk) contains a feature to do
> logging of digest and SignedInfo octets during signing or verification via
> an environment variable.
I did try building the currently released version of xml-security-c (1.0.0 I think), but it wouldn't compile for me on Fedora 13 64bit.
Maybe the trunk is better.

>
> If your message contains a KeyInfo itself, my suggestion, given that your
> code looks ok, is to cut the metadata out of it for the moment, and try
> resolving the KeyInfo of the Signature into a credential and try that. If
> that fails, it's probably a problem in the XML.

I did look at getting the KeyInfo from the message (it is there in the xml), but I couldn't see how to do it. Signature::getKeyInfo() doesn't appear to be the right way to get the KeyInfo from the Signature according to the comments in the Signature.h header file. The only thing I could see was getXMLSignature() which looked too low-level.

Chris