Shibboleth Developers

["Alistair Young" <>]

> older xmlsec library instead of 1.4
I used xmlsec-1.3.1 as it was listed in the source rpms for 1.3f. It's not
me that's seeing the problem though, it's live production 1.3f
installations in the uk federation. So I'm trying to replicate it locally,
to see if I can work out what's wrong.

> That sounds fairly definitive for your purposes
if only! The rest of the world is using 1.3f, unsupported or not.

> Still would be nice to know why it's not working though.
I'll let you know if I find out. I need to pursue this as the UK
Federation makes extensive use of 1.3f I believe. Presumably the I2 IdP
doesn't have the interop problem. Then again, it all seemed to happen
after I renewed the IdP's server cert, which the IdP also uses for signing
responses. Anyone fancy letting me have a SAML sample from their I2 IdP?

I'm hoping I can tweak our IdP to get round the 1.3f stuff, otherwise,
well, no-one is going to upgrade to 1.3.1 anytime soon.

Alistair


-- 
mov eax,1
mov ebx,0
int 80h

>> I eventually built 1.3f from source on OS X. While I'm rummaging, does
>> anyone have any pointers that could help me along? Our IdP worked ok
>> with SP 1.2.1, and it works ok with 1.3.1 and 2.0.0 but it seems to
>> not work with 1.3f. The SP always reports the error "unable to verify
>> signed profile response".
>
> The xml security code is most likely the same unless you built 1.3f with
> the
> older xmlsec library instead of 1.4. If that's the case, then I suppose
> that's the most likely culprit.
>
>> I've sampled the signed SAML coming from the
>> IdP and run it through a verifier here and it's fine. 1.3.1 and 2.0.0
>> verify the signature fine too. I think it's just 1.3f that won't
>> verify it.
>
> That sounds fairly definitive for your purposes. But if it were a bug on
> this end, it's not getting fixed. 1.3.1 is the only supported version on
> that branch. That's probably the fix.
>
> Still would be nice to know why it's not working though.
>
> -- Scott
>
>
>