Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] Signing Assertion within a Response (C++)

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] Signing Assertion within a Response (C++)


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: [OpenSAML] Signing Assertion within a Response (C++)
  • Date: Wed, 6 Oct 2010 10:43:09 -0400
  • Organization: The Ohio State University

> The validation of the digest was failing because I wasn't explicitly
setting
> the xsi namespace in AttributeValue elements - when validating the digest
> the library code *did* put the xsi namespace attribute in the
AttributeValue
> elements and so ended up with different xml to hash.

The library can't add them on the parsing end, so they were added by
something else, maybe the marshaller. But that makes no sense, because the
marshalling happens before you sign. So something's wrong, possibly you're
serializing with code that's adding the declaration after the signing
process.

> Is there sample C++ code somewhere for creating AttributeValue elements?
> I've got something that's working now, but it seems messy to me:

Adding a namespace-qualified attribute to an extensible node should record
the fact that the namespace is needed, and the marshaller should pick it up,
but that may be a fix in the latest version, I'd have to look.

But you're using the wrong interface for setting xsi:type, that should be
set via setSchemaType or by specifying the type when you build the object.
That was originally coded to know about the namespace, and it knows the type
of the attribute is a QName and can track that namespace as well, I believe.

But in general I wouldn't set it. Sometimes you need xsi:type, but
AttributeValue is not one of those places. SAML requires type uniformity and
your attribute's name should indicate to any receiver what the type is
without having to specify it.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page