Skip to Content.
Sympa Menu

mace-opensaml-users - [OpenSAML] Odd decryption/signature interaction

Subject: OpenSAML user discussion

List archive

[OpenSAML] Odd decryption/signature interaction


Chronological Thread 
  • From: Nick Newman <>
  • To:
  • Subject: [OpenSAML] Odd decryption/signature interaction
  • Date: Tue, 28 Sep 2010 16:24:24 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=OgXV5FP+BqJV3UK61OJrbDs5b31Eb/yS1fVacCvtjsEjWU0c2EeNJZ8i4ZiB+tcHV3 RRY/M0U9L4bR0voPIpOZoGa2PUf5zxcpWA1w2x7XZUDh7os9jmJDEIWroFiYmwCapARX ea9mr8JZYQYlnMqD/duFtAa/ll5nbBwrJUUgg=

Hi,

I apologise in advance for yet another thread on this topic, but it
seems to be pretty confusing.

So, I have configured a SP to use OpenSAML to check SAML tickets
obtained from Shibboleth.

If I configure Shibboleth so that it doesn't encrypt the Assertion,
then I can validate the signature on the Assertion and the signature
on the Response. All is well.

If I configure Shibboleth to now encrypt the Assertion then I can
decrypt and then validate the signature on that Assertion, but then
the signature on the Response fails to validate.

That make it look as if decrypting the Assertion has changed the
Response object. So to check this I checked the signature on the
Response both before and after decrypting the Assertion, and sure
enough the first one succeeded and the second failed.

So am I to understand from this that decrypting the Assertion does
something like replacing the EncryptedAssertion in the Response with
the "plain" Assertion?

Thanks,
Nick



Archive powered by MHonArc 2.6.16.

Top of Page