[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: [Shib-Users] Problems validating artifactresolve signature
From:       Brent Putman <putmanb () georgetown ! edu>
Date:       2011-04-29 17:27:15
Message-ID: 4DBAF4F3.6070402 () georgetown ! edu
[Download RAW message or body]



On 4/29/11 11:52 AM, eduelmoni@hotmail.com wrote:
>
> However the same request via HTTP-Artifact binding gives us a problem. The SP
> generates the artifact and returns it to the IDP. Our IdP generates the
> following ArtifactResolve:
>

You are delivering the ArtifactResolve to the SP with the SAML SOAP
binding, right?


> When the SP tries to verify the message signature we get the following error:
>
>

> The signature algorithm, certificate, and the key etc are the same in both
> cases (for the response and artifactResolve). 


Assuming they really are the same, then the XML signature must really
not be valid (barring a heretofore unknown bug in the SP).  Since  you
are sending with the SOAP binding, the problem is almost certainly in
either how you are serializing and transmitting the message after you
sign it (corrupting the signature), or else there's a c14n issue with
the use of the SOAP binding.


> Can you help me identify the
> problem?
> How can we correctly authenticate the artifactResolve?
>

See this page for troubleshooting signature issues, in particular step 4:

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManSigErrors


What library or codebase are you using for the XML Signature support on
your IdP?  If it's ultimately Apache Santuario (either Java or C++),
then the instructions there should be sufficient to get the data you
need to diagnose.  If it's something else, you'll need to inquire of the
people who support that library how to get the pre-digest value
mentioned there.

--Brent

[prev in list] [next in list] [prev in thread] [next in thread]