Shibboleth Developers

[<>]

I updated my Shibboleth IDP this afternoon, and the assertions are being 
verified by my SP now.  That was some amazing debugging by you guys.  After 
Scott and I stopped working on it on Friday, I was convinced it was going to 
be some really strange corrupted environment problem on my end, since it 
worked on every platform he tried it on Friday.  Great job, thanks!
 
Thanks,
Jeff
 

________________________________

From: Brent Putman 
[mailto:]
Sent: Sat 9/22/2007 2:59 PM
To: 

Subject: Re: Shibboleth SP Beta Problem (or maybe IDP problem)



Just to (hopefully) close this out:  Scott determined that the SP was
failing to process the signature from the IdP because the IdP (via a
default in OpenSAML) was using SHA-256 as the hash algorithm for the
Signature/Reference/DigestMethod value.  RHEL 4's version of OpenSSL
doesn't support SHA-256 hashes apparently, so it was barfing (with a not
very helpful error message courtesy of the Apache XML Security lib).

I have updated OpenSAML to (effectively) default to SHA-1 on signature
references, so the IdP should now be signing with SHA-1.  That's the
lowest common denominator, and should be supported by everything.

Thanks Jeff for reporting.  When you get a chance, could you please
confirm whether this resolves your issue?  You'll need to run against an
IdP using the OpenSAML changes I just checked in.  (I wasn't clear on
whether the IdP was yours or not...)

Thanks,
Brent



 wrote:
> I am running under RHEL 4.  I built the RPMs from the SRPMs. 
>
> When a signed assertion from the Shib 2 IDP arrives, the SP fails to
> verify the signature (note this same SP is verifying the signature on
> assertions from my Ping IDP) and produces the following error trace:
>
> 2007-09-21 02:45:40 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]:
> validating signature profile
> 2007-09-21 02:45:40 DEBUG XMLTooling.KeyInfoResolver.Inline [2]:
> resolving ds:X509Certificate
> 2007-09-21 02:45:40 DEBUG XMLTooling.KeyInfoResolver.Inline [2]:
> resolved 1 certificate(s)
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]:
> attempting to validate signature with the peer's credentials
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: public
> key did not validate signature: Caught an XMLSecurity exception
> verifying signature: Error allocating memory
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: no
> peer credentials validated the signature
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: validating
> signature using certificate from within the signature
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: Caught an
> XMLSecurity exception verifying signature: Error allocating memory
> 2007-09-21 02:45:40 DEBUG XMLTooling.TrustEngine.PKIX [2]: failed to
> verify signature with embedded certificates
> 2007-09-21 02:45:40 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]:
> unable to verify message signature with supplied trust engine
>
> I did a cursory comparison between the Shib 2 SAML response and the Ping
> SAML response, and I noticed a couple differences:
>
> 1) Shibboleth reponse starts with <?xml version="1.0"
> encoding="UTF-8"?>, the Ping response starts immediately with
> <samlp:Response ...>  which is the 2nd line of the Shibboleth response.
>
> 2) The Ping signature is signing the saml:Assertion (contained inside
> the samlp:Response). The Shibboleth signature is signing the
> samlp:Response (which contains a saml:Assertion).
>
> 3) The Shibboleth signature includes a copy of the signing Certificate,
> the Ping response does not include a signing certificate.  (I did verify
> I didn't do anything too stupid, the signing certificate included by the
> Shib 2 IDP matches my metadata).
>
> Let me know what I can do to help figure this one out.  Nothing about
> the SAML response from the Shib IDP looks incorrect, but I have only
> glanced at it. 
>
> Thanks,
> Jeff
>

<<winmail.dat>>