Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
  • Date: Wed, 29 Oct 2008 14:32:07 +0100
  • Openpgp: id=146B2514
  • Organization: SWITCH

The vast majority of the time (in fact, every time that I can remember)
that this has been a problem it has been because something on the
receiving side was doing something to screw up the XML before signature
validation occurred. That an online verifier can't verify the signature
is not surprising, what you included as an attachment is NOT what the
IdP sends to the SP (the IdP doesn't pretty print things in order to
send them to the SP).

So, we're not trying to pass the buck when we say this, but if some one
else's DSIG implementation is not able to validate the signature you
need to take it up with them. With all the work Scott has done ensuring
that both the C++ and Java signature support is sound we feel pretty
confident now saying that if there is a problem is the other people's code.

Adam Lantos wrote:
> Hello,
>
> I am facing a problem with our Shib2.0 IdP using the HTTP-POST profile
> and xml signatures.
>
> When the IdP issues the AuthnResponse, it signes the response using
> the credentials set in the relying party configuration file.
> Shibboleth SPs are accepting this digital signature, but the Sun
> JSR-105 implementation in JavaSE6 and the old proprietary Sun xml dsig
> implementation both reject the XML signature as 'invalid'. I have
> tried to use Sun's OpenSSO as SP with Shib2 IdP, but this signature
> error stopped me.
>
> I found an online xmldsig verifier
> (http://www.aleksey.com/xmlsec/xmldsig-verifier.html), but it also
> could not validate my response.
>
> I also tried with a different IdP deployment, but it still gives me
> wrong signatures. Do you have any clue what went wrong? I have
> attached the reponse from the idp protocol_message log.
>
>
> Shibboleth IdP 2.0, Sun's Java 1.5.0_16, Tomcat5.5. IdP is running
> fine apart from this issue.
>
>
> Thanks,
> Adam

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page