Shibboleth Developers

["Kristof Devos" <>]

Hi,

I have a basic shibboleth setup 1.3 still :-), my authentication saml response works perfectly, however the AA response which is signed using the same certificate as the auth saml response is not working, I've put everything is debug and do not see any special things in the saml response. The certificate is both configured for the auth as for the aa responses.

there is however a special line in the saml response, but that's due to logging I think (2008-03-31 16:31:38 DEBUG SAML.libcurl [197] sessionGet:)

anyone an idea?

my saml looks like

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_5b4c03c54245722c8b9859e953f0b531" IssueInstant="2008-03-31T14:31:38.558Z" MajorVersion="1" MinorVersion="1" ResponseID="_7bca6a62110b50b879348b849a615320"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_7bca6a62110b50b879348b849a615320">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>KpmdlGTAqSmsIFQVyoIQDrtXP2Y=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
touOEGwV+vpLpwiPckFpJnyjxJ0RTc/OSyWBkcd/GH0EuCYOuoicovvOXqMRABRM9UFp2NZeFS8C
T3yC5IHbPpZ1OeIJkTtscwUeu6xnf4Yzyd+jaT7lRIt3PUCScBthccM77kSAgmStR/0cwRU29q9I
WSKwG6DP6yTA82Tchag=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEZDCCA0ygAwIBAgILAQAAAAABELrOI78wDQYJKoZIhvcNAQEFBQAwNDELMAkGA1UEBhMCQkUx
FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0ExDTALBgNVBAUTBDIwMDYwHhcNMDcwMjEzMTExMjU2WhcN
MDgwNTEzMTExMjU2WjCBxjELMAkGA1UEBhMCYmUxHjAcBgNVBAMTFWJlaGVhbHRoLnNtYWxzLW12
bS5iZTEjMCEGA1UEChMaYmVsZ2lhbiBmZWRlcmFsIGdvdmVybm1lbnQxIzAhBgNVBAsTGmJlbGdp
YW4gZmVkZXJhbCBnb3Zlcm5tZW50MREwDwYDVQQIEwhicnVzc2VsczERMA8GA1UEBxMIYnJ1c3Nl
bHMxJzAlBgkqhkiG9w0BCQEWGHN1cGVydmlzaW9uQHNtYWxzLW12bS5iZTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA6GSR0GQVmZgAH9TfYuRsxLubm6M9J86S9jBPzeGAi2L1Mknj/HWI4Nje
3a3B2Spa3PvHHsHTQMqdQKbHifKQ4VKAtRLKnXBOE2v9aUeQY/XDIe15Bbk5+aZKkvA9Pd4fS1Mh
rw3dqusjdcTKlZOdfjiL6qQSi4EV1CTCd09j618CAwEAAaOCAWYwggFiMEQGA1UdIAQ9MDswOQYH
YDgBAQEDAjAuMCwGCCsGAQUFBwIBFiBodHRwOi8vcmVwb3NpdG9yeS5wa2kuYmVsZ2l1bS5iZTAO
BgNVHQ8BAf8EBAMCBPAwHwYDVR0jBBgwFoAUTLXz+GwHYCiGzLfVBlCEreZe5oAwHQYDVR0OBBYE
FCqkQvDPUmekfOAXAq0wG+C0q2dEMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucGtpLmJl
bGdpdW0uYmUvZ292ZXJubWVudDIwMDYuY3JsMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgVg
MG0GCCsGAQUFBwEBBGEwXzA1BggrBgEFBQcwAoYpaHR0cDovL2NlcnRzLnBraS5iZWxnaXVtLmJl
L2JlbGdpdW1ycy5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnBraS5iZWxnaXVtLmJlMA0G
CSqGSIb3DQEBBQUAA4IBAQArJ34JOl6dYmGaRcexkUTDy96J79FHysA+3JqILq7ybZHRGD7Ak4bG
jVGWNbrV/chTOIx5csviL3u9o3eCvOaIRvIvYJO2QZTBKwmFvn8LdeOanog6JDGg5w5oaV4BhZH1
hpqYSbvr54yQFojbS5LdLaPFkrj215q9N55t/P5n9deUfZkCmTxZORBo02nwZ6FVYEWSQOqbSh/p
tdmb0ZxIVNavu2rx+h+gtrHgd/2KLddqivmXYTQh7wHzyrjPBfGf/8dCpfbr3iE9nDJnq0CdgyqX
g57Ebo+PJPWl7+7WmiLGN6F5SLapG/b6IoAwEgJ08QO6OxE2cFuleyBTFGkt
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_7d2751d9b1de607caa0a95a552beec34" IssueInstant="2008-03-31T14:31:38.558Z" Issuer="http://idp.test.be/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-03-31T14:31:38.557Z" NotOnOrAfter="2008-03-31T15:01:38.557Z"><AudienceRestrictionCondition><Audience>urn:test:shibboleth:elea13</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.test.be/shibboleth">_b83baf1fe6f754725b8a1eb7585ee903</NameIdentifier></Subject><Attribute AttributeName="urn:myattr:data" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
2008-03-31 16:31:38 DEBUG SAML.libcurl [197] sessionGet: ><AttributeValue>&lt;![CDATA[&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;&lt;authorisationResponse xmlns="http://www.test.be/webservices/"&gt;&lt;ticketnumber&gt;5L000004FDS6W&lt;/ticketnumber&gt;&lt;error&gt;NOT AUTHORIZED&lt;/error&gt;&lt;/authorisationResponse&gt;]]&gt;</AttributeValue></Attribute></AttributeStatement></Assertion></Response></soap:Body></soap:Envelope>


and the error is

2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: validating signature with KeyDescriptors
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: KeyDescriptor resolved into a key, trying it...
2008-03-31 16:31:38 ERROR SAML.SAMLResponse [197] sessionGet: signature failed to verify, error messages follow:
Reference URI="#_7bca6a62110b50b879348b849a615320" failed to verify
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: verification with KeyDescriptor failed: failed to verify signature value: Reference URI="#_7bca6a62110b50b879348b849a615320" failed to verify
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: KeyDescriptor resolved into a key, trying it...
2008-03-31 16:31:38 ERROR SAML.SAMLResponse [197] sessionGet: signature failed to verify, error messages follow:
Reference URI="#_7bca6a62110b50b879348b849a615320" failed to verify
Validation of <SignedInfo> failed
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: verification with KeyDescriptor failed: failed to verify signature value: Reference URI="#_7bca6a62110b50b879348b849a615320" failed to verify
Validation of <SignedInfo> failed
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: KeyDescriptor resolved into a key, trying it...
2008-03-31 16:31:38 ERROR SAML.SAMLResponse [197] sessionGet: signature failed to verify, error messages follow:
Reference URI="#_7bca6a62110b50b879348b849a615320" failed to verify
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: verification with KeyDescriptor failed: failed to verify signature value: Reference URI="#_7bca6a62110b50b879348b849a615320" failed to verify
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Basic [197] sessionGet: failed to validate signature with KeyDescriptors
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Shibboleth [197] sessionGet: validating signature using certificate from within the signature
2008-03-31 16:31:38 ERROR SAML.SAMLResponse [197] sessionGet: signature failed to verify, error messages follow:
Reference URI="#_7bca6a62110b50b879348b849a615320" failed to verify
2008-03-31 16:31:38 DEBUG Shibboleth.Trust.Shibboleth [197] sessionGet: failed to verify signature with embedded certificates
2008-03-31 16:31:38 ERROR shibtarget.SessionCache [197] sessionGet: caught SAML exception during SAML attribute query: Unable to verify signed response message.
2008-03-31 16:31:38 ERROR shibtarget.SessionCache [197] sessionGet: no response obtained

thx a lot K