shibboleth-dev - Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
Subject: Shibboleth Developers
List archive
- From: "Adam Lantos" <>
- To:
- Subject: Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
- Date: Wed, 29 Oct 2008 16:17:31 +0100
Okay, I found the problem. Tomcat ran with POSIX locale. Now with
utf-8 locale it gives good results :)
And yes, Shib2 and OpenSSO _ARE_ compatible with SAML2 both ways...
thanks for your help,
Adam
On Wed, Oct 29, 2008 at 4:07 PM, Chad La Joie
<>
wrote:
> Well, something isn't reading the XML as UTF-8 encoded then. You'll
> need to refer to the docs for the APIs you're using in order to properly
> parse the XML.
>
> Adam Lantos wrote:
>> Chad,
>>
>> I also noticed that question marks are inserted into the
>> AttributeStatement, here:
>>
>> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">Lantos ?d?m</saml:AttributeValue>
>>
>> These characters should be 'Ádám'... Maybe there are some character
>> encoding issues here :s
>>
>> Now when I set includeAttributeStatement="false" - voilá! The xml
>> passes signature validation.
>>
>> https://papigw.aai.niif.hu/saml2interop/samlresp-without-attributes.xml
>>
>>
>> thanks,
>> Adam
>>
>>
>>
>> On Wed, Oct 29, 2008 at 2:32 PM, Chad La Joie
>> <>
>> wrote:
>>> The vast majority of the time (in fact, every time that I can remember)
>>> that this has been a problem it has been because something on the
>>> receiving side was doing something to screw up the XML before signature
>>> validation occurred. That an online verifier can't verify the signature
>>> is not surprising, what you included as an attachment is NOT what the
>>> IdP sends to the SP (the IdP doesn't pretty print things in order to
>>> send them to the SP).
>>>
>>> So, we're not trying to pass the buck when we say this, but if some one
>>> else's DSIG implementation is not able to validate the signature you
>>> need to take it up with them. With all the work Scott has done ensuring
>>> that both the C++ and Java signature support is sound we feel pretty
>>> confident now saying that if there is a problem is the other people's
>>> code.
>>>
>>> Adam Lantos wrote:
>>>> Hello,
>>>>
>>>> I am facing a problem with our Shib2.0 IdP using the HTTP-POST profile
>>>> and xml signatures.
>>>>
>>>> When the IdP issues the AuthnResponse, it signes the response using
>>>> the credentials set in the relying party configuration file.
>>>> Shibboleth SPs are accepting this digital signature, but the Sun
>>>> JSR-105 implementation in JavaSE6 and the old proprietary Sun xml dsig
>>>> implementation both reject the XML signature as 'invalid'. I have
>>>> tried to use Sun's OpenSSO as SP with Shib2 IdP, but this signature
>>>> error stopped me.
>>>>
>>>> I found an online xmldsig verifier
>>>> (http://www.aleksey.com/xmlsec/xmldsig-verifier.html), but it also
>>>> could not validate my response.
>>>>
>>>> I also tried with a different IdP deployment, but it still gives me
>>>> wrong signatures. Do you have any clue what went wrong? I have
>>>> attached the reponse from the idp protocol_message log.
>>>>
>>>>
>>>> Shibboleth IdP 2.0, Sun's Java 1.5.0_16, Tomcat5.5. IdP is running
>>>> fine apart from this issue.
>>>>
>>>>
>>>> Thanks,
>>>> Adam
>>> --
>>> SWITCH
>>> Serving Swiss Universities
>>> --------------------------
>>> Chad La Joie, Software Engineer, Net Services
>>> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
>>> phone +41 44 268 15 75, fax +41 44 268 15 68
>>> ,
>>> http://www.switch.ch
>>>
>>>
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Net Services
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> ,
> http://www.switch.ch
>
>
- Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Scott Cantor, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/30/2008
- RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Scott Cantor, 10/30/2008
- Message not available
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/30/2008
- RE: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Scott Cantor, 10/30/2008
- Message not available
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Kristof BAJNOK, 10/30/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Adam Lantos, 10/29/2008
- Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature, Chad La Joie, 10/29/2008
Archive powered by MHonArc 2.6.16.