Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [Shib-Dev] Shibboleth 2.0 IdP xml digital signature
  • Date: Fri, 31 Oct 2008 10:32:55 +0100
  • Openpgp: id=146B2514
  • Organization: SWITCH

This was indeed unintended behavior. As various responses to this
thread indicated there was an unwanted connection between the operating
system default character set and what was being used to encode the
messages to be Base64 encoded. The code is now explicitly using UTF-8.
We'll investigate further if, and how, to make this configurable.

Adam Lantos wrote:
> Chad,
>
> I also noticed that question marks are inserted into the
> AttributeStatement, here:
>
> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xs:string">Lantos ?d?m</saml:AttributeValue>
>
> These characters should be 'Ádám'... Maybe there are some character
> encoding issues here :s
>
> Now when I set includeAttributeStatement="false" - voilá! The xml
> passes signature validation.
>
> https://papigw.aai.niif.hu/saml2interop/samlresp-without-attributes.xml
>
>
> thanks,
> Adam
>
>
>
> On Wed, Oct 29, 2008 at 2:32 PM, Chad La Joie
> <>
> wrote:
>> The vast majority of the time (in fact, every time that I can remember)
>> that this has been a problem it has been because something on the
>> receiving side was doing something to screw up the XML before signature
>> validation occurred. That an online verifier can't verify the signature
>> is not surprising, what you included as an attachment is NOT what the
>> IdP sends to the SP (the IdP doesn't pretty print things in order to
>> send them to the SP).
>>
>> So, we're not trying to pass the buck when we say this, but if some one
>> else's DSIG implementation is not able to validate the signature you
>> need to take it up with them. With all the work Scott has done ensuring
>> that both the C++ and Java signature support is sound we feel pretty
>> confident now saying that if there is a problem is the other people's code.
>>
>> Adam Lantos wrote:
>>> Hello,
>>>
>>> I am facing a problem with our Shib2.0 IdP using the HTTP-POST profile
>>> and xml signatures.
>>>
>>> When the IdP issues the AuthnResponse, it signes the response using
>>> the credentials set in the relying party configuration file.
>>> Shibboleth SPs are accepting this digital signature, but the Sun
>>> JSR-105 implementation in JavaSE6 and the old proprietary Sun xml dsig
>>> implementation both reject the XML signature as 'invalid'. I have
>>> tried to use Sun's OpenSSO as SP with Shib2 IdP, but this signature
>>> error stopped me.
>>>
>>> I found an online xmldsig verifier
>>> (http://www.aleksey.com/xmlsec/xmldsig-verifier.html), but it also
>>> could not validate my response.
>>>
>>> I also tried with a different IdP deployment, but it still gives me
>>> wrong signatures. Do you have any clue what went wrong? I have
>>> attached the reponse from the idp protocol_message log.
>>>
>>>
>>> Shibboleth IdP 2.0, Sun's Java 1.5.0_16, Tomcat5.5. IdP is running
>>> fine apart from this issue.
>>>
>>>
>>> Thanks,
>>> Adam
>> --
>> SWITCH
>> Serving Swiss Universities
>> --------------------------
>> Chad La Joie, Software Engineer, Net Services
>> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
>> phone +41 44 268 15 75, fax +41 44 268 15 68
>> ,
>> http://www.switch.ch
>>
>>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page