Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature


Chronological Thread 
  • From: "Adam Lantos" <>
  • To:
  • Subject: Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
  • Date: Wed, 29 Oct 2008 15:23:50 +0100

Hello Chad,


Thanks for the answer. Good point with the pretty-print... Now I got
the base64-encoded SAML response, decoded it and tried the validation
with java digsig api.

http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/
http://java.sun.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html#wp511427

Here is the JSR-105 API sample test I tried (it needs java se 6):
https://papigw.aai.niif.hu/saml2interop/Validate.java

And here is the decoded response
https://papigw.aai.niif.hu/saml2interop/samlresp.xml

$ java Validate samlresp.xml
Signature failed core validation
signature validation status: true
ref[0] validity status: false

(Unfortunately OpenSSO does not use JSR-105, it uses the old Sun
proprietary digsig API which I cannot test now, I just assume that Sun
is compatible with itself.)



thanks,
Adam




On Wed, Oct 29, 2008 at 2:32 PM, Chad La Joie
<>
wrote:
> The vast majority of the time (in fact, every time that I can remember)
> that this has been a problem it has been because something on the
> receiving side was doing something to screw up the XML before signature
> validation occurred. That an online verifier can't verify the signature
> is not surprising, what you included as an attachment is NOT what the
> IdP sends to the SP (the IdP doesn't pretty print things in order to
> send them to the SP).
>
> So, we're not trying to pass the buck when we say this, but if some one
> else's DSIG implementation is not able to validate the signature you
> need to take it up with them. With all the work Scott has done ensuring
> that both the C++ and Java signature support is sound we feel pretty
> confident now saying that if there is a problem is the other people's code.
>
> Adam Lantos wrote:
>> Hello,
>>
>> I am facing a problem with our Shib2.0 IdP using the HTTP-POST profile
>> and xml signatures.
>>
>> When the IdP issues the AuthnResponse, it signes the response using
>> the credentials set in the relying party configuration file.
>> Shibboleth SPs are accepting this digital signature, but the Sun
>> JSR-105 implementation in JavaSE6 and the old proprietary Sun xml dsig
>> implementation both reject the XML signature as 'invalid'. I have
>> tried to use Sun's OpenSSO as SP with Shib2 IdP, but this signature
>> error stopped me.
>>
>> I found an online xmldsig verifier
>> (http://www.aleksey.com/xmlsec/xmldsig-verifier.html), but it also
>> could not validate my response.
>>
>> I also tried with a different IdP deployment, but it still gives me
>> wrong signatures. Do you have any clue what went wrong? I have
>> attached the reponse from the idp protocol_message log.
>>
>>
>> Shibboleth IdP 2.0, Sun's Java 1.5.0_16, Tomcat5.5. IdP is running
>> fine apart from this issue.
>>
>>
>> Thanks,
>> Adam
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Net Services
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> ,
> http://www.switch.ch
>
>



Archive powered by MHonArc 2.6.16.

Top of Page