shibboleth-dev - Re: signed assertions
Subject: Shibboleth Developers
List archive
- From: Ian Young <>
- To:
- Subject: Re: signed assertions
- Date: Tue, 21 Feb 2006 18:23:42 +0000
Ian Young wrote:
> If you managed to get this to work, I guess it is likely to be finger
> trouble on my part somewhere. I will go back to square one and try
> again, very carefully.
So I did that, but the problem recurs.
I changed the IdP's metadata to include WantAssertionsSigned="true" for the SP. I changed the SP's metadata to duplicate the KeyDescriptor for the IdP from the SSO onto the AA.
Same behaviour: signon apparently successful, but no attributes passed to the application because the signature verification failed and the attribute assertion was therefore removed from the response.
I tried removing some of the attributes from the release policy at the IdP (these are both test entities, so lots of attributes are released by default). This didn't change the behaviour. The trace line with the soap message in it got shorter, but it still terminated just after the <ds:Signature> start tag, so I guess there is something going on there with a newline. I don't think it's the problem, as such, but it is stopping me seeing the whole message.
Again, looking at the messages it isn't clear to me that the KeyName on the AA is actually the issue; it is claiming to have failed to verify the signature against the (key associated with the) certificate in the signature itself. That suggests to me that the problem is some kind of mad XML library canonicalisation issue. It could be either at the IdP or the SP, though.
Scott Cantor wrote:
The trace line finishes with this:
</Attribute></AttributeStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
(no line break after ds:Signature in the original)
Each element of the signature includes a linefeed, it's just the way the
Java code creates the XML. My binary detection is probably tripping on it.
Sounds like it.
If you managed to get this to work, I guess it is likely to be finger trouble on my part somewhere. I will go back to square one and try again, very carefully.
If you like, you could try the wiki and feed it your signature directly.
I'll try that, thanks. Was it the wiki you tried the test with yourself?
If so, I guess if my attributes make it through then I need to look at the SP. If they don't, then the IdP is the place to look.
I could add the KeyDescriptor to something if you tell me which IdP to change.
It will be:
urn:mace:ac.uk:sdss.ac.uk:provider:identity:idp.iay.org.uk
That's only in SDSS, so I guess it can only reach the wiki. The SP I am testing is in SDSS and InQueue, so it would be possible to try the reverse combination if it seemed worthwhile at some point.
-- Ian
- signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- RE: signed assertions, Scott Cantor, 02/21/2006
- <Possible follow-up(s)>
- RE: signed assertions, Scott Cantor, 02/21/2006
- Re: signed assertions, Ian Young, 02/22/2006
Archive powered by MHonArc 2.6.16.