Geek Answers Handbook

Signature Verification Problems Using OpenSAML and OpenSSO

We use OpenSAML on the site of the service provider to provide single sign-on for our customers. Our client (ID provider) has been using OpenSSO from their end. The answer of SAML, which is published by OpenSSO, is slightly different when it comes to the signature element, as it is not defined by the namespace. This is not like OpenSAML, and it returns zero from samlResponse.getSignature(), because of which I cannot verify the signature.

SamlReponse signature snippet causing the problem

<Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <Reference URI="#s2d10cccbd58d1f78c2c76c74c82a236548c929ffd">
            <Transforms>
                <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>j+KBoDOtEcyCquPTxRCXoBulStQ=</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>Dv+owuZfGFymGGrw2gHA3/7GVC6mXt8JMW+tOvmtnjTRJZaDE+Nb2NCngio1Tnqu4LWnvVrry4Wk... 6QcIJi/kGc4YFMSQj/Q=</SignatureValue>
    <KeyInfo>
        <X509Data>
            <X509Certificate>MIIEhDCCA+2gAwIBAgIQXxhipi2wpPxWi7MTVfFVHDANBgkqhkiG9w0BAQUFADCBujEfMB0GA1UE... 78Q/lRQuBhHMy02lKctnwjBeEYA=</X509Certificate>
        </X509Data>
    </KeyInfo>
</Signature>

Signature snippet from another SAML response that works

<dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
        <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <dsig:Reference URI="#id-TtLltjcBSOAJ6OipumUEj8o0Qag-">
            <dsig:Transforms>
                <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </dsig:Transforms>
            <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <dsig:DigestValue>5c95zhA139qzMvZA2A445F3LWaU=</dsig:DigestValue>
        </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>JsmRFJn1CjClHs4rf0hrwKzOq6ZtmnOEm/PNiaJvYurko/ZP+PApWhk55x0unIVwZ6XDv3k8Dj81WqUl07J0Dkvzp71bccIgiGTRzoNPT71nBAXxJmZiXz51JWctg13zjxP0oQMSpWytKCrFkCkJ0So3RQl3WixYV3miK0YjJnM=</dsig:SignatureValue>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:KeyInfo>
</dsig:Signature>

As you can see above, the signature fragment from the OpenSSO server does not contain a namespace qualifier, as specified in the SAML Bindings specification.

, SAMLResponse, , OpenSAML .

, OpenSAML, .

CJ

+5
2

, DOM XML. , , , SAML Response XML ( , Response, Assertion ).

Element assertionElem = assertion.getDOM();

if (!assertionElem.hasAttribute("xmlns:saml")) {
   assertionElem.setAttribute("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion");
}

if (!assertionElem.hasAttribute("xmlns:ds")) {
   assertionElem.setAttribute("xmlns:ds", "http://www.w3.org/2000/09/xmldsig#");
}

String assertionXml = Serializer.serializeXml(assertionElem, true, true);

, xmlns = "http://www.w3.org/2000/09/xmldsig#" , setDOM() . , samlResponse.getSignature().getDOM() XML, DOM Signature.

, , XML, , .

0

ComponentSpace SAML 2.0 library , ADFS . XML, ADFS, , , .

, XML, . ComponentSpace . , .

OpenSAML XML. .

0

More articles:


All Articles