Shibboleth Developers

["Scott Cantor" <>]

> I read this to be saying that it managed to check the signature on the 
> basis of the certs in the signature itself, but that it failed to find a 
> KeyDescriptor that matched that in the metadata.

Correct.

> and come back to it: but at least we know what it looks like when the 
> metadata is absent.

Yes, though I obviously knew what it meant. I got the same error initially
when I forgot IQ's metadata does not support this. We're just hoping to shut
it down before it matters.

> skipping AttributeValue without a single, non-empty text node

Hmm. Skipping the value in general shouldn't invalidate the signature, it
just means it's not *processing* the data.

> Sure enough, if I change my ARP to not include the new-style ePTI 
> attribute, my IdP's signed attribute assertions are now validated by my 
> SP.  That attribute wasn't being released to your wiki, which explains 
> why my IdP could talk to your SP and not mine.

But isn't there a plugin in your SP that's handling that attribute? It
shouldn't even be skipping it, frankly. Something's off.

Maybe it's an older config file? See if it has that OID in it.

> So, OpenSAML signature verification bug when attribute values have 
> complex contents?

Possibly. I'm not sure what it's doing exactly yet. I'll need to see what
"ignore" really means here.

-- Scott