shibboleth-dev - Re: signed assertions again
Subject: Shibboleth Developers
List archive
- From: "Kristof Devos" <>
- To:
- Subject: Re: signed assertions again
- Date: Tue, 6 Nov 2007 16:34:07 +0100
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=VIwiz6xKBFJwDdNJ/uYcu3EjlshVa7Jee1WH0OOOOE8Q3IJcJiGBEtJKwJyCQuoHuRkf1h5CBLbeYMaqMIW2CDK9gwPgf2wm1QHKRIKOjkr3hHODvcPfYdXLqNVD6YEGwcxKp2CNjkyrXL60vADvj0Hxh2wjYwvIldL58ejzm4M=
thx for the reply
BUT
same certificate is used to sign the response and the assertion
seems an issue that no link can be made between <ds:Reference URI="#_aa74bc13d9a528eb65bfdb5165831391"> and AssertionID="_aa74bc13d9a528eb65bfdb5165831391", perhaps this is a namespace issue?? (see below for a snippet)
thx a lot
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_aa74bc13d9a528eb65bfdb5165831391" IssueInstant="2007-10-30T12:59:07.426Z" Issuer=" http://idp.smals-mvm.be/shibboleth" MajorVersion="1" MinorVersion="1">
<Conditions NotBefore="2007-10-30T12:59:07.426Z" NotOnOrAfter="2007-10-30T13:04:07.426Z">
<AudienceRestrictionCondition><Audience>https://staging.postbox.be/</Audience>
<Audience>urn:behealth:shibboleth:elea13</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="2007-10-30T12:59:07.426Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified ">
<Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.smals-mvm.be/shibboleth">_06a17c212b38f53c19ad46a78f9e7f06</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML: 1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="10.60.200.65"></SubjectLocality></AuthenticationStatement><ds:Signature xmlns:ds=" http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# "></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_aa74bc13d9a528eb65bfdb5165831391">
On 06/11/2007, Scott Cantor <> wrote:
> I know there as already been a post on signed assertion but previous post
> had to do with soma atrributes send in SAML ticket. I nevertheless have
> the same issue with signed assertions but I do not pass any attribute at
> all.
That's irrelevant.
> THe message signature is validated perfectly but the assertion signature
> could not be validated
It's either signed with a different key that isn't being passed in the
message, or the code producing the signature is broken in some way.
-- Scott
- signed assertions again, devos . kristof, 11/06/2007
- Re: signed assertions again, Chad La Joie, 11/06/2007
- RE: signed assertions again, Scott Cantor, 11/06/2007
- Message not available
- Re: signed assertions again, Kristof Devos, 11/06/2007
- RE: signed assertions again, Scott Cantor, 11/06/2007
- Re: signed assertions again, Kristof Devos, 11/06/2007
Archive powered by MHonArc 2.6.16.