Shibboleth Developers

[Walter Hoehn <>]

This was an unfortunate oversight.  I'll be releasing an update soon  
(IdP 1.3c) that includes the latest opensaml build.

-Walter


On Sep 27, 2005, at 10:38 AM, Valery Tschopp wrote:

> Hi Scott,
>
> What is exactly the IdP 1.3b status regarding OpenSAML 1.1b library?
>
> We have X509 certificates in our SWITCHaai metadata, see:
> https://aai-rr.switch.ch/gen_metadata.php/metadata.switchaai.xml
>
> With the metadatatool included in IdP 1.3b tarball it is possible  
> to sign it, but the signed metadata become unusable (base64 block  
> are broken)
>
> Is it normal that opensaml 1.1b is not included in IdP 1.3b ?
>
> Best regards,
> Valery Tschopp - SWITCH
>
> Scott Cantor wrote:
>
> > Another overlooked consequence of switching to Xerces is that the  
> > Java
> > version still contains a bug that causes signing of base64 content  
> > to fail
> > unless a particular parser feature specific to Xerces is turned off.
> > The immediate consequence of this bug, aside from people using  
> > OpenSAML, is
> > that metadatatool can't verify signed metadata that contains  
> > certificates. A
> > later, less critical consequence would be the Java SP validating  
> > signed
> > responses if they included signed assertions, not something we  
> > need right
> > now.
> > To fix this, we have to release a patched opensaml-1.1.jar and  
> > replace the
> > version included with Shibboleth. I suspect we can get away with just
> > posting a new opensaml-1.1b package and documenting that you need  
> > to copy
> > that version into IDP_HOME/lib if you want metadatatool to work.
> > This feature appears to be off by default in Sun's version, which  
> > is why it
> > appeared to work before. Unfortunately, setting this Xerces  
> > feature causes a
> > spurious exception when using some other parser, but for now this  
> > is the
> > best I can think to do. A spurious warning is better than broken,  
> > and Shib
> > at this point requires Xerces anyway.
> > We can discuss on the call tomorrow.
> > -- Scott
>
> --
> Valery Tschopp                            Software Engineer
> SWITCH             The Swiss Education and Research Network
> NetServices AAI                Neumuehlequai 6, 8001 Zurich
> phone:+41 1 268 1544                
> email: