OpenSAML user discussion

[Brent Putman <>]

On 1/11/11 8:17 AM, Daniel Förberg wrote:
> Ok. Is the "pre-digest" value, the same as pre-digested input, which
> is the Assertion without signature?
> In this case when unmarshalling from SOAP Message the Assertion
> already contains the enveloped Signature.

No, not exactly.  The pre-digest value being discussed is the value over
which the Signature's Reference's digest is calculated.  This is
calculated basically as the result of resolving the Reference's URI and
then running the Reference's Transforms over it, which for SAML will
usually include a canonicalization transform (hopefully
self-explanatory) and the enveloped signature transform, which removes
the entire Signature element.  The output of the Transforms chain is the
octet stream over which the Reference's digest value is calculated. Note
that this pre-digest value is NOT what you see at any point in the
serialized instance document(s).  It's an internal detail of the XML
Signature process.

That pre-digest output will be (or should be) the same on both the
signing and validation sides.  If it's not, that's when you see a
validation error.  Apache xmlsec for Java has debug options for
obtaining the pre-digest value, both at signing and validation time. See
the article Chad referenced for turning this debug output on.  You get
the 2 values from signing and from validation, and compare them.  If one
side or the other in your flow isn't Apache xmlsec Java, then you need
to see if that software does have the capability to emit the pre-digest
value.  If not, you might have to hack some debug code in.  I believe
that the later versions of Apache xmlsec C++ do have.  Not sure about
other XML Signature libraries.

Hope that helps,
Brent