OpenSAML user discussion

[Brent Putman <>]

On 9/5/10 5:16 AM, rangeli nepal wrote:
> Good Morning Everybody,
> 
> I have a system where I can receive AuthnRequest on Http Redirect
> Binding and use SAML2HTTPRedirectDeflateSignatureRule to validate the
> signatre blob.


So you're talking about the simple raw/blob signature over the protocol
message here, right?  Per that binding, the AuthnRequest can't have an
XML signature, so I'll assume that's what you are talking about.


> 
>  I was going through
> 
> https://spaces.internet2.edu/display/OpenSAML/OSTwoUserManJavaDSIG
> 
> Reading the last example I realize my approach might have one problem
> i.e I am not validating the profile of the signature.


All of the examples there are for XML Signatures, for which SAML has a
profile.  That's what the signature profile validator checks, to confirm
correctness and conformance, and also to prevent certain kinds of DoS
attacks against the recipient.

The simple raw/blob signature used in the HTTP-Redirect DEFLATE binding
doesn't have any such profile, so what you see on the wiki really isn't
relevant.


> However in order
> to validate the signature
> in case HTTP Redirrect binding case I need authnRequest,signature and 
> siglag.
> 
> I am not sure how I can rebuild Signautre Object from wire? 


The simple blob signature are not calculated using a Signature
XMLObject, that's only for XML signatures.  You can't create a Signature
object from the HTTP-Redirect DEFLATE binding simple raw signature, nor
do you need to.  It's not relevant.