Shibboleth Developers

[Chad La Joie <>]

As I said, you'll need to take it up with the Sun guys.  Ask them how to
debug signature validation with their APIs.

Also I wouldn't bet that Sun's OpenSSO code is compatible with any other
Sun code.

Adam Lantos wrote:
> Hello Chad,
> 
> 
> Thanks for the answer. Good point with the pretty-print... Now I got
> the base64-encoded SAML response, decoded it and tried the validation
> with java digsig api.
> 
> http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/
> http://java.sun.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html#wp511427
> 
> Here is the JSR-105 API sample test I tried (it needs java se 6):
> https://papigw.aai.niif.hu/saml2interop/Validate.java
> 
> And here is the decoded response
> https://papigw.aai.niif.hu/saml2interop/samlresp.xml
> 
> $ java Validate samlresp.xml
> Signature failed core validation
> signature validation status: true
> ref[0] validity status: false
> 
> (Unfortunately OpenSSO does not use JSR-105, it uses the old Sun
> proprietary digsig API which I cannot test now, I just assume that Sun
> is compatible with itself.)
> 
> 
> 
> thanks,
>  Adam
> 
> 
> 
> 
> On Wed, Oct 29, 2008 at 2:32 PM, Chad La Joie 
> <>
>  wrote:
>> The vast majority of the time (in fact, every time that I can remember)
>> that this has been a problem it has been because something on the
>> receiving side was doing something to screw up the XML before signature
>> validation occurred.  That an online verifier can't verify the signature
>> is not surprising, what you included as an attachment is NOT what the
>> IdP sends to the SP (the IdP doesn't pretty print things in order to
>> send them to the SP).
>>
>> So, we're not trying to pass the buck when we say this, but if some one
>> else's DSIG implementation is not able to validate the signature you
>> need to take it up with them.  With all the work Scott has done ensuring
>> that both the C++ and Java signature support is sound we feel pretty
>> confident now saying that if there is a problem is the other people's code.
>>
>> Adam Lantos wrote:
>>> Hello,
>>>
>>> I am facing a problem with our Shib2.0 IdP using the HTTP-POST profile
>>> and xml signatures.
>>>
>>> When the IdP issues the AuthnResponse, it signes the response using
>>> the credentials set in the relying party configuration file.
>>> Shibboleth SPs are accepting this digital signature, but the Sun
>>> JSR-105 implementation in JavaSE6 and the old proprietary Sun xml dsig
>>> implementation both reject the XML signature as 'invalid'. I have
>>> tried to use Sun's OpenSSO as SP with Shib2 IdP, but this signature
>>> error stopped me.
>>>
>>> I found an online xmldsig verifier
>>> (http://www.aleksey.com/xmlsec/xmldsig-verifier.html), but it also
>>> could not validate my response.
>>>
>>> I also tried with a different IdP deployment, but it still gives me
>>> wrong signatures. Do you have any clue what went wrong? I have
>>> attached the reponse from the idp protocol_message log.
>>>
>>>
>>> Shibboleth IdP 2.0, Sun's Java 1.5.0_16, Tomcat5.5. IdP is running
>>> fine apart from this issue.
>>>
>>>
>>> Thanks,
>>>  Adam
>> --
>> SWITCH
>> Serving Swiss Universities
>> --------------------------
>> Chad La Joie, Software Engineer, Net Services
>> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
>> phone +41 44 268 15 75, fax +41 44 268 15 68
>> ,
>>  http://www.switch.ch
>>
>>

-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch