[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] Signing Assertions
> Anyway, my question is what would happen if you passed the > above soap envelope to a signature validator? The outer > signature would pass (the one from the client) but surely the > signature that was originally associated with the assertion > (the one from the authority) would fail. This is because that > signature contains the following: <Reference URI="">, which > essentially states that the signature is associated with the > whole document. You're correct. I'm adding signing support to my opensaml library right now, and ran into that issue with a signed Response containing a signed Assertion. > I suppose the question is, when the authority signs an > assertion, should they put in a reference to the assertion > itself, or a transform such as XPath (using exc-C14n) which > identifies the assertion fragment as a seperate piece of XML > from the SOAP envelope or other context? If they use the > above format (the null URI), then you can never take an > assertion with a signature and put it into another document, > as it breaks the signature. That's what I plan to do, barring any problems with the Apache xml-security library that crop up. I think it's pretty much the only option. I believe the spec language in SAML isn't a problem, as it merely says you need to sign the "whole thing" in some sense, but I'll check into it and make sure. Might be useful to specify it a bit more precisely. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC