shibboleth-dev - Shibboleth 2.0 IdP xml digital signature
Subject: Shibboleth Developers
List archive
- From: "Adam Lantos" <>
- To:
- Subject: Shibboleth 2.0 IdP xml digital signature
- Date: Wed, 29 Oct 2008 14:23:08 +0100
Hello,
I am facing a problem with our Shib2.0 IdP using the HTTP-POST profile
and xml signatures.
When the IdP issues the AuthnResponse, it signes the response using
the credentials set in the relying party configuration file.
Shibboleth SPs are accepting this digital signature, but the Sun
JSR-105 implementation in JavaSE6 and the old proprietary Sun xml dsig
implementation both reject the XML signature as 'invalid'. I have
tried to use Sun's OpenSSO as SP with Shib2 IdP, but this signature
error stopped me.
I found an online xmldsig verifier
(http://www.aleksey.com/xmlsec/xmldsig-verifier.html), but it also
could not validate my response.
I also tried with a different IdP deployment, but it still gives me
wrong signatures. Do you have any clue what went wrong? I have
attached the reponse from the idp protocol_message log.
Shibboleth IdP 2.0, Sun's Java 1.5.0_16, Tomcat5.5. IdP is running
fine apart from this issue.
Thanks,
Adam
<?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.sch.bme.hu:443/opensso/Consumer/metaAlias/sp"; ID="_afee317801d213d8827b41ba20316620" InResponseTo="s2bf3d52dd0a69d5b395a301f3cd2b1e642a5acce7" IssueInstant="2008-10-24T13:27:23.282Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://papigw.aai.niif.hu/idp/shibboleth</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Reference URI="#_afee317801d213d8827b41ba20316620" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="ds saml samlp xs"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>xrBgdPsZ0X4ubQZ47mVuXikvEOU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> ercV0smA0AFxwplNBpI4ZItMESkVRH9OefTo+ox2AHMnwnvuAJbFaOBILAabqvv4jDTfSX8TKxIs re+1NPY4ZO8dn4ureThb2gmLfKNSItXy5jIfyrhCvktQzB5vEbQYR7jxoR4fiscZilsrnsrX9ZG/ IzvoNVMt9OrQS3p1eQU= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDczCCAlugAwIBAgIBDzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJIVTENMAsGA1UEChME TklJRjEgMB4GA1UECxMXQ2VydGlmaWNhdGUgQXV0aG9yaXRpZXMxFTATBgNVBAMTDE5JSUYgVGVz dCBDQTAeFw0wODA0MjkxMjM5MjBaFw0wOTA0MjkxMjM5MjBaMEcxCzAJBgNVBAYTAkhVMQ0wCwYD VQQKEwROSUlGMQwwCgYDVQQLEwNBQUkxGzAZBgNVBAMTEnBhcGlndy5hYWkubmlpZi5odTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAloGYgkuUC8poh02T5iId46rsyNaQrgFSfgNvpXtxaVmE ZOlTqckRAzeDOVSEokq/JHxx8kQMYBEOs18TldER0YQ7FSXWvAKQfmIn08CoYbiDEb3WdSwfyqju 8zdlPTV3NJkH3DzpkYn0uLUXzb66aVTPNeoAEJW/wkvT/Y/uwlUCAwEAAaOB3zCB3DAJBgNVHRME AjAAMB0GA1UdDgQWBBTuWqgK3NGKDG2KDyLEOMN1aOUNSjB9BgNVHSMEdjB0gBTdIcyVzzlYrQPX 25SI1LzdOVGFcaFZpFcwVTELMAkGA1UEBhMCSFUxDTALBgNVBAoTBE5JSUYxIDAeBgNVBAsTF0Nl cnRpZmljYXRlIEF1dGhvcml0aWVzMRUwEwYDVQQDEwxOSUlGIFRlc3QgQ0GCAQAwMQYJYIZIAYb4 QgEEBCQWImh0dHBzOi8vd3d3LmFhaS5uaWlmLmh1L2NhLWNybC5wZW0wDQYJKoZIhvcNAQEFBQAD ggEBADDmF0x1NQ76jzUQu6snG3XYQGWBzjBsqREEZ1zKCowr+PUyKokPGy+kDwM5w0YdFLHumoNB VwvxGjVI+NKZhyEAWoHIc8Zv777k9TeWfDWIDd9IqWsSmaAYrUxs9FGKBaTMJwx9ZAHPJgzWUBTE 5sD+cGp91m1LNZqG1yroIODw4vA2M2oukgdgG1FYBVmo/8quZHnqkSF+XT4IpLNjqp6Y93fmn1Sf 0KPB6hDpuweXt/nszHo3JbM5Zd1znTnpWNH6483v6HgeOMNgCDGyMjtbHm8IhGoBnRF18urqMqt9 RtzYjHzHzsorzNwzWNW7R7w2ZowLOox8epzpG4yRAgA=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ca7a9f5d71963a105491043cd9aa346d" IssueInstant="2008-10-24T13:27:23.282Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://papigw.aai.niif.hu/idp/shibboleth</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_1d9ef818175c340f1693cd4681115b81</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData Address="152.66.211.112" InResponseTo="s2bf3d52dd0a69d5b395a301f3cd2b1e642a5acce7" NotOnOrAfter="2008-10-24T13:32:23.282Z" Recipient="https://idp.sch.bme.hu:443/opensso/Consumer/metaAlias/sp"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2008-10-24T13:27:23.282Z" NotOnOrAfter="2008-10-24T13:32:23.282Z"> <saml:AudienceRestriction> <saml:Audience>https://idp.sch.bme.hu:443/opensso/sp/test</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-24T13:27:18.186Z" SessionIndex="1ef24712e9074307e9a93bd00ed904c97d8269888191af354cc601b32c148bd6" SessionNotOnOrAfter="2008-10-24T17:27:18.186Z"> <saml:SubjectLocality Address="152.66.211.112"/> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">Lantos ?d?m</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">employee</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">staff</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string"></saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">Lantos</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">?d?m</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">urn:mace:rediris.es:entitlement:wiki:jra5</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
- Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Scott Cantor, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
Archive powered by MHonArc 2.6.16.