Shibboleth Developers

[Brent Putman <>]

Just to (hopefully) close this out:  Scott determined that the SP was
failing to process the signature from the IdP because the IdP (via a
default in OpenSAML) was using SHA-256 as the hash algorithm for the
Signature/Reference/DigestMethod value.  RHEL 4's version of OpenSSL
doesn't support SHA-256 hashes apparently, so it was barfing (with a not
very helpful error message courtesy of the Apache XML Security lib).

I have updated OpenSAML to (effectively) default to SHA-1 on signature
references, so the IdP should now be signing with SHA-1.  That's the
lowest common denominator, and should be supported by everything.

Thanks Jeff for reporting.  When you get a chance, could you please
confirm whether this resolves your issue?  You'll need to run against an
IdP using the OpenSAML changes I just checked in.  (I wasn't clear on
whether the IdP was yours or not...)

Thanks,
Brent



 wrote:
> I am running under RHEL 4.  I built the RPMs from the SRPMs.  
>
> When a signed assertion from the Shib 2 IDP arrives, the SP fails to
> verify the signature (note this same SP is verifying the signature on
> assertions from my Ping IDP) and produces the following error trace:
>
> 2007-09-21 02:45:40 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]:
> validating signature profile
> 2007-09-21 02:45:40 DEBUG XMLTooling.KeyInfoResolver.Inline [2]:
> resolving ds:X509Certificate
> 2007-09-21 02:45:40 DEBUG XMLTooling.KeyInfoResolver.Inline [2]:
> resolved 1 certificate(s)
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]:
> attempting to validate signature with the peer's credentials
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: public
> key did not validate signature: Caught an XMLSecurity exception
> verifying signature: Error allocating memory
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: no
> peer credentials validated the signature
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: validating
> signature using certificate from within the signature
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: Caught an
> XMLSecurity exception verifying signature: Error allocating memory
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: failed to
> verify signature with embedded certificates
> 2007-09-21 02:45:40 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]:
> unable to verify message signature with supplied trust engine
>
> I did a cursory comparison between the Shib 2 SAML response and the Ping
> SAML response, and I noticed a couple differences:
>
> 1) Shibboleth reponse starts with <?xml version="1.0"
> encoding="UTF-8"?>, the Ping response starts immediately with
> <samlp:Response ...>  which is the 2nd line of the Shibboleth response.
>
> 2) The Ping signature is signing the saml:Assertion (contained inside
> the samlp:Response). The Shibboleth signature is signing the
> samlp:Response (which contains a saml:Assertion).
>
> 3) The Shibboleth signature includes a copy of the signing Certificate,
> the Ping response does not include a signing certificate.  (I did verify
> I didn't do anything too stupid, the signing certificate included by the
> Shib 2 IDP matches my metadata).
>
> Let me know what I can do to help figure this one out.  Nothing about
> the SAML response from the Shib IDP looks incorrect, but I have only
> glanced at it.  
>
> Thanks,
> Jeff
>