OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] Signing Assertions

> Anyway, my question is what would happen if you passed the 
> above soap envelope to a signature validator? The outer 
> signature would pass (the one from the client) but surely the 
> signature that was originally associated with the assertion 
> (the one from the authority) would fail. This is because that 
> signature contains the following: <Reference URI="">, which 
> essentially states that the signature is associated with the 
> whole document.

You're correct. I'm adding signing support to my opensaml library right
now, and ran into that issue with a signed Response containing a signed

> I suppose the question is, when the authority signs an 
> assertion, should they put in a reference to the assertion 
> itself, or a transform such as XPath (using exc-C14n) which 
> identifies the assertion fragment as a seperate piece of XML 
> from the SOAP envelope or other context? If they use the 
> above format (the null URI), then you can never take an 
> assertion with a signature and put it into another document, 
> as it breaks the signature.

That's what I plan to do, barring any problems with the Apache
xml-security library that crop up. I think it's pretty much the only
option. I believe the spec language in SAML isn't a problem, as it
merely says you need to sign the "whole thing" in some sense, but I'll
check into it and make sure. Might be useful to specify it a bit more

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC