OpenSAML user discussion

[Daniel Förberg <>]

Hello !

I am working as a consultant for a customer and using the OpenSAML(XML Tooling, Open WS and more).
The requirement from the customer is to include 3 block of Assertions in a SOAP Header. This is implemented
as a restriction extension of the WSSE security, in order to define a custom Security Header called "Security
Header". Inside this Security Header the blocks are located. The first block is the authentication block which is
a pure SAML2 Assertion. 

The 2 other blocks has a surrounding root element, containing pure SAML2 Assertions.
One for Authorization and the other for Auditing. These are connected to the root Assertion trough the same
AssertionId. Each subblock contain completing SAML2 attributes. The reason to blockify the Assertions.
Is that the parties can use different solution to manage Authentication and Authorization. For example
Authentication by an external IDP, and attributes trough an internal ADP or such.

Well the the signature generation and verification of the Assertions isolated works perfectly fine.
When adding the 3 Assertions into a SOAP  Header of a SOAP Enevelope, whithout formatting
the content. The Assertions are extracted from the Actual SOAP Message in an Interceptor
to front the Service Producer using CXF. When the verification is performed Using a TrustEngine,
the Error message is "Signature Hash does not match signed content". Any clue, to be able
to verify the Signature correctly? I followed all tips and instruction on the OpenSAML without any
result yet. Thanks in advance.

Regards,

Daniel