Shibboleth Developers

[Ian Young <>]

Ian Young wrote:

> If you managed to get this to work, I guess it is likely to be finger
> trouble on my part somewhere.  I will go back to square one and try
> again, very carefully.

So I did that, but the problem recurs.

I changed the IdP's metadata to include WantAssertionsSigned="true" for 
the SP.  I changed the SP's metadata to duplicate the KeyDescriptor for 
the IdP from the SSO onto the AA.

Same behaviour: signon apparently successful, but no attributes passed 
to the application because the signature verification failed and the 
attribute assertion was therefore removed from the response.

I tried removing some of the attributes from the release policy at the 
IdP (these are both test entities, so lots of attributes are released by 
default).  This didn't change the behaviour.  The trace line with the 
soap message in it got shorter, but it still terminated just after the 
<ds:Signature> start tag, so I guess there is something going on there 
with a newline.  I don't think it's the problem, as such, but it is 
stopping me seeing the whole message.

Again, looking at the messages it isn't clear to me that the KeyName on 
the AA is actually the issue; it is claiming to have failed to verify 
the signature against the (key associated with the) certificate in the 
signature itself.  That suggests to me that the problem is some kind of 
mad XML library canonicalisation issue.  It could be either at the IdP 
or the SP, though.

Scott Cantor wrote:

> > The trace line finishes with this:
> >
> > </Attribute></AttributeStatement><ds:Signature 
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> >
> > (no line break after ds:Signature in the original)
>
> Each element of the signature includes a linefeed, it's just the way the
> Java code creates the XML. My binary detection is probably tripping on it.

Sounds like it.

> > If you managed to get this to work, I guess it is likely to be finger 
> > trouble on my part somewhere.  I will go back to square one and try 
> > again, very carefully.
>
> If you like, you could try the wiki and feed it your signature directly.

I'll try that, thanks.  Was it the wiki you tried the test with yourself?

If so, I guess if my attributes make it through then I need to look at 
the SP.  If they don't, then the IdP is the place to look.

> I could add the KeyDescriptor to something if you tell me which IdP to change.

It will be:

urn:mace:ac.uk:sdss.ac.uk:provider:identity:idp.iay.org.uk

That's only in SDSS, so I guess it can only reach the wiki.  The SP I am 
testing is in SDSS and InQueue, so it would be possible to try the 
reverse combination if it seemed worthwhile at some point.

        -- Ian