Shibboleth Developers

["Scott Cantor" <>]

I have a theory about what might be breaking it, if I'm right it's a bug in
the IdP.

What I would do is try patching this class:

edu.internet2.middleware.shibboleth.aa.attrresolv.provider.SAML2PersistentID

If you go to line 252:

nameIDNode.setAttribute("xmlns", XML.SAML2ASSERT_NS);
nameIDNode.setAttribute(
"Format", "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
nameIDNode.setAttribute("NameQualifier", responder);
nameIDNode.setAttribute("SPNameQualifier", requester);

You'll note these are not namespace-qualified. In the case of the final
three, I don't think it matters, although proper DOM practice says to use
setAttributeNS(NULL,"name","value");

But that first one could be breakage. It should be in the xmlns namespace,
not null. That could be causing the c14n engine to improperly sort it (in
fact it shows up *last* in your output, and I think xmlns attributes are
supposed to come *before* any others).

If I'm right, what's happening is that the Java code is signing it with the
xmlns attribute last, but the C++ c14n code reorders it to be first (since
it parses it as an xmlns declaration based on the name itself) and boom.

To fix, change the first line to:

nameIDNode.setAttributeNS(
org.opensaml.XML.XMLNS_NS,"xmlns", XML.SAML2ASSERT_NS);

Or something close.

If this fixes it, I win a big stuffed furry animal. And continue to wonder
exactly how my life ended up here, debugging XML signature solely through
visual exam.

-- Scott