Shibboleth Developers

["Scott Cantor" <>]

> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: public
> key did not validate signature: Caught an XMLSecurity exception
> verifying signature: Error allocating memory

Like I said on IM, that's just...weird. We tested on CentOS 5, it seemed to
be fine.

> 2) The Ping signature is signing the saml:Assertion (contained inside
> the samlp:Response). The Shibboleth signature is signing the
> samlp:Response (which contains a saml:Assertion).

The IdP is doing some simple stuff right now for testing purposes, I told
Chad we probably needed a few options for controlling it later, and the
default should be the assertion. Shouldn't matter here.

> 3) The Shibboleth signature includes a copy of the signing Certificate,
> the Ping response does not include a signing certificate.

Is that the default? I would think most products tend toward using PKI and
not forcing the SP to have the key, but just curious.

> Let me know what I can do to help figure this one out.  Nothing about
> the SAML response from the Shib IDP looks incorrect, but I have only
> glanced at it.

I haven't had time to really look, but my quick suggestion is, send me the
raw response (the base64 is best) and I'll look at it. Also, you could try
using the samlsign tool I added to do some playing with the signature
directly. Bad news is I don't have it documented and the options are
complex.

Easiest I think would be to run it as "cat response.xml | samlsign --cert
cert.pem"

It should fail the same way, but maybe you could debug into it somehow?

Anyway, I'm eagerly awaiting any additional signs things aren't working for
people, this seems like it might be a library thing, not a Shib thing.

-- Scott