Hi All, I am trying to send my federation server a SAML message that has a signed assertion in it that I have created using .NET 3.5. My federation server is written in Java and uses the latest version of Apache XML Security to process these messages' digital signatures. After an embarrassingly long time of sifting through code, blog posts, mailing lists, and the W3C's spec, I am stuck and would *greatly* appreciate some help.
When I use the federation server to create a SAML message and send it back to it for verification, it accepts the signature. In this use case, effectively, it's a signature produced by your toolkit being validated by it. I have have made the assertion created by my .NET code very close to the one accepted by the federation server (differences described after the XML docs). However, the XML signature processor in the server still considers it invalid. I've added the public key in the SAML message to the cacerts file used by the JRE that my federation server runs in (in case that makes a diff). Here are the documents that I'm working w/. The first is produced by the federation server and is signed w/ your toolkit which is being validated OK: <samlp:Response IssueInstant="2010-08-20T20:03:19.135Z" ID="gzkD2IIbWdVCDYURBGADixzaWNB" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion Version="2.0" IssueInstant="2010-08-20T20:03:19.140Z" ID="i4JxuzpsMFt59B4m0THfGZFamo7" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>localhost:default:entityId</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#i4JxuzpsMFt59B4m0THfGZFamo7"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>6sws+aEYHaQnUtS41TlGkoLvPMc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>WMQW5cNDoxPbkM/YA+5KOLpHqrhY3M2ir9BtooTrmgAVzGR+0qDTNq1 0knR36mQmJMV0PKiLb8wL /EOetUx8Y8SkruVb5qcv0J2rWkXJbo68uR/2ilB5BYnnNVxkV0OzzdEjnmPLFyTNoraOaZ4GR8Du oGA+0cp43Q55tCaBLYS/qIxoiQrpw+XVHUy+Xh3BMwYj0CoaNCZmEE06iVWb0Fd7VY4j4VOcuRq3 ImQ27MOmUQvwk1lVH4y+OMiHt9SijCWP1Q2TzUGk5jvtlXc60sA56cD3uHb54tEAlmK3ciB7nkpZ ZlCbPUipPICYrQkl94uHt0M224nMXfv8++aB0Q==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIC/jCCAeagAwIBAgIQFbo2Qg0w955Dgf1MzdFm6zANBgkqhk iG9w0BAQUFADARMQ8wDQYDVQQD EwZUcmF2aXMwIBcNMTAwNTAxMDYxODQ3WhgPMjExMDA0MDcwNjE4NDdaMBExDzANBgNVBAMTBlRy YXZpczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYhy0zAuKLqF1Qnz89o+7DvfE8y OTAspkNw7GInKnKl5SgJ0OGvpJehU4neEYiPjL7nfHGq4kGL+u/735gRBlMjQWsdCQAPZUR4OJbQ zmcNGRIeZ5yUtduCjToI/ASXmUVHUK5sMwSvoSZoTMTsVrTe+oxtKIplq2WvdvrHVed0xIMGqk/u fi82cNEebE61aXQczpICrgMavnaTgQ2xzM6hu2lxL9C0SdNE9QOqtW+JzHQRYy2mzGkxsByuZ/M9 8MVkKJSQt24sYy52WK7MvlNnY8PSuPvdl8E1OWPfmCJNdXcYLTVZu399BNZazrVDPzybUbnnwygE g/hboHnGTNMCAwEAAaNQME4wFQYDVR0lBA4wDAYKKwYBBAGCNwoDBDAqBgNVHREEIzAhoB8GCisG AQQBgjcUAgOgEQwPVHJhdmlzQGRvZ3dvb2QAMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEB AJplSd5TXGT3jvX7aK3C+pohVRl/VfyigGFGU/AvX+oiqy+dCy4pw7Ee/luDkHCfReWG1aEIS3w7 cSf8fHKsS5e339V4HsMVY7YaFyyQV7xzEuCMnDIIClcexF6Bm4LZQXcvojrYdnt0gedrmXi450N+ YA5k/qGkMz4EFKv4rdxJxT2NVc6Lrv+ZfZJU0yHz74krbuG1I181+MtcKwfmKIzjU+HZ6PrwJktH 2XO6rEP/yDg6gKSokJyi7OLpbVoKVN1obYmeB0PbAQChvEhCDNrbDMOkEEnhYlta6sdMLvIqbfRF vqjKGEqpMTEetijll70vEduJD9zsL6VRusIJ/pI=</ds:X509Certificate> </ds:X509Data> <ds:KeyValue> <ds:RSAKeyValue> <ds:Modulus>xiHLTMC4ouoXVCfPz2j7sO98TzI5MCymQ3DsYicqcqXlKAnQ4a+kl6FT id4RiI+Mvud8cariQYv6 7/vfmBEGUyNBax0JAA9lRHg4ltDOZw0ZEh5nnJS124KNOgj8BJeZRUdQrmwzBK+hJmhMxOxWtN76 jG0oimWrZa92+sdV53TEgwaqT+5+LzZw0R5sTrVpdBzOkgKuAxq+dpOBDbHMzqG7aXEv0LRJ00T1 A6q1b4nMdBFjLabMaTGwHK5n8z3wxWQolJC3bixjLnZYrsy+U2djw9K4+92XwTU5Y9+YIk11dxgt NVm7f30E1lrOtUM/PJtRuefDKASD+FugecZM0w==</ds:Modulus> <ds:Exponent>AQAB</ds:Exponent> </ds:RSAKeyValue> </ds:KeyValue> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2010-08-20T20:08:19.141Z" Recipient="https://localhost:9031/sp/ACS.saml2"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotOnOrAfter="2010-08-20T20:08:19.141Z" NotBefore="2010-08-20T19:58:19.141Z"> <saml:AudienceRestriction> <saml:Audience>localhost:default:entityId</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2010-08-20T20:03:19.140Z" SessionIndex="i4JxuzpsMFt59B4m0THfGZFamo7"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="FooUrl"> <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://localhost/spsample/?foo=bar</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> The second is created w/ .NET and its signature is not considered valid: <Response Destination="https://localhost:9031/sp/ACS.saml2" IssueInstant="2010-08-27T05:24:46" ID="Swr4yvoT7e5PF447k9PVPHdn2g3" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <Assertion ID="_e31ba86e-98b0-48bb-b5f4-deed6156240d" IssueInstant="2010-08-27T05:24:46.360Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>localhost:default:entityId</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_e31ba86e-98b0-48bb-b5f4-deed6156240d"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>8wP0L/LAQBlet3Qh/Ueww2dxZCA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>NZVuOduItANH5THpx1GNxuwRqjd3BRT9fjD1u+i3iKtlH6DPSkox1N30/VFrj LSTswwWGml/axS8kdkrcuzYPrfPk/p0ys8o54Q7Oz5AoBx9yzQl5OA8mL+mIjxwZVA8DhN5YpT+V 7mw5wnwuHuR/HCpA/q6iYr6TY6wLSsW9J6eP+6rdTi72egdPJebbMgAq55IEut0kPGC1SFYFWd/7 2PxrjnGKwAez/zeaJ5DNf/XsoyIOBGv2HDXQcKkJ3cDzV/qoCpDMNQAES0amt0kjH16uRz6Xe10E JhZQJJocE2xw8ne8KXxEBE9fsIbc4zgOf1nUiTctpwprA6/D1XZzA==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC/jCCAeagAwIBAgIQFbo2Qg0w955Dgf1MzdFm6zANBgkqhkiG9w0 BAQUFADARMQ8wDQYDVQQDEwZUcmF2aXMwIBcNMTAwNTAxMDYxODQ3WhgPMjExMDA0MDc wNjE4NDdaMBExDzANBgNVBAMTBlRyYXZpczCCASIwDQYJKoZIhvcNAQEBBQADggEPADC CAQoCggEBAMYhy0zAuKLqF1Qnz89o+7DvfE8yOTAspkNw7GInKnKl5SgJ0OGvpJehU4n eEYiPjL7nfHGq4kGL+u/735gRBlMjQWsdCQAPZUR4OJbQzmcNGRIeZ5yUtduCjToI/AS XmUVHUK5sMwSvoSZoTMTsVrTe+oxtKIplq2WvdvrHVed0xIMGqk/ufi82cNEebE61aXQ czpICrgMavnaTgQ2xzM6hu2lxL9C0SdNE9QOqtW+JzHQRYy2mzGkxsByuZ/M98MVkKJS Qt24sYy52WK7MvlNnY8PSuPvdl8E1OWPfmCJNdXcYLTVZu399BNZazrVDPzybUbnnwyg Eg/hboHnGTNMCAwEAAaNQME4wFQYDVR0lBA4wDAYKKwYBBAGCNwoDBDAqBgNVHREEIzA hoB8GCisGAQQBgjcUAgOgEQwPVHJhdmlzQGRvZ3dvb2QAMAkGA1UdEwQCMAAwDQYJKoZ IhvcNAQEFBQADggEBAJplSd5TXGT3jvX7aK3C+pohVRl/VfyigGFGU/AvX+oiqy+dCy4 pw7Ee/luDkHCfReWG1aEIS3w7cSf8fHKsS5e339V4HsMVY7YaFyyQV7xzEuCMnDIIClc exF6Bm4LZQXcvojrYdnt0gedrmXi450N+YA5k/qGkMz4EFKv4rdxJxT2NVc6Lrv+ZfZJ U0yHz74krbuG1I181+MtcKwfmKIzjU+HZ6PrwJktH2XO6rEP/yDg6gKSokJyi7OLpbVo KVN1obYmeB0PbAQChvEhCDNrbDMOkEEnhYlta6sdMLvIqbfRFvqjKGEqpMTEetijll70 vEduJD9zsL6VRusIJ/pI=</X509Certificate> </X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2010-08-27T05:25:46.360Z" Recipient="https://localhost:9031/sp/ACS.saml2"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2010-08-27T05:24:46.359Z" NotOnOrAfter="2010-08-27T05:25:46.359Z"> <AudienceRestriction> <Audience>localhost:default:entityId</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2010-08-27T05:24:46.360Z" SessionIndex="_4da72941-e6da-4e59-af4f-2e0d3ea853a9"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> </AuthnContext> </AuthnStatement> <AttributeStatement> <Attribute Name="FooUrl" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <AttributeValue>https://localhost/SpSample/?foo=bar</AttributeValue> </Attribute> </AttributeStatement> </Assertion> </Response> The only differences I see between these docs are the following: * Identifiers for the assertions, sessions, etc. * Attribute order on a few elements * Use of namespace prefixes through the doc that validates vs. the use of the default namesapce on the one that doesn't * Temporal data * The URI attribute value of the ds:Reference element * Missing type attribute on the AttributeValue element of the invalid document While I understand that these differences would result in different signature values (which is fine), I don't understand why Apache XML Security considers the .NET-generated signature invalid. When I turn on debugging of XML signatures on in the federation server, this is what I get in the log: 2010-08-26 22:25:04,292 tid:8ec06a77f WARN [org.apache.xml.security.signature.XMLSignature] Signature verification failed. 2010-08-26 22:25:04,303 tid:8ec06a77f WARN [org.apache.xml.security.signature.Reference] Verification failed for URI "#_e31ba86e-98b0-48bb-b5f4-deed6156240d" 2010-08-26 22:25:04,306 tid:8ec06a77f WARN [org.apache.xml.security.signature.Reference] Expected Digest: 8wP0L/LAQBlet3Qh/Ueww2dxZCA= 2010-08-26 22:25:04,309 tid:8ec06a77f WARN [org.apache.xml.security.signature.Reference] Actual Digest: WxH1MlSyFAlbRx0jlbuvwH27UrY= 2010-08-26 22:25:04,312 tid:8ec06a77f DEBUG [org.sourceid.common.dsig.XmlSignatureUtil] XmlObject.xmlText(): <Assertion ID="_e31ba86e-98b0-48bb-b5f4-deed6156240d" IssueInstant="2010-08-27T05:24:46.360Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>localhost:default:entityId</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_e31ba86e-98b0-48bb-b5f4-deed6156240d"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>8wP0L/LAQBlet3Qh/Ueww2dxZCA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>NZVuOduItANH5THpx1GNxuwRqjd3BRT9fjD1u+i3iKtlH6DPSkox1N30/VFrjLSTswwWGml/axS8kdkrcuzYPrfPk/p0ys8o54Q7Oz5AoBx9yzQl5OA8mL+mIjxwZVA8DhN5YpT+V7mw5wnwuHuR/HCpA/q6iYr6TY6wLSsW9J6eP+6rdTi72egdPJebbMgAq55IEut0kPGC1SFYFWd/72PxrjnGKwAez/zeaJ5DNf/XsoyIOBGv2HDXQcKkJ3cDzV/qoCpDMNQAES0amt0kjH16uRz6Xe10EJhZQJJocE2xw8ne8KXxEBE9fsIbc4zgOf1nUiTctpwprA6/D1XZzA==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC/jCCAeagAwIBAgIQFbo2Qg0w955Dgf1MzdFm6zANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZUcmF2aXMwIBcNMTAwNTAxMDYxODQ3WhgPMjExMDA0MDcwNjE4NDdaMBExDzANBgNVBAMTBlRyYXZpczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYhy0zAuKLqF1Qnz89o+7DvfE8yOTAspkNw7GInKnKl5SgJ0OGvpJehU4neEYiPjL7nfHGq4kGL+u/735gRBlMjQWsdCQAPZUR4OJbQzmcNGRIeZ5yUtduCjToI/ASXmUVHUK5sMwSvoSZoTMTsVrTe+oxtKIplq2WvdvrHVed0xIMGqk/ufi82cNEebE61aXQczpICrgMavnaTgQ2xzM6hu2lxL9C0SdNE9QOqtW+JzHQRYy2mzGkxsByuZ/M98MVkKJSQt24sYy52WK7MvlNnY8PSuPvdl8E1OWPfmCJNdXcYLTVZu399BNZazrVDPzybUbnnwygEg/hboHnGTNMCAwEAAaNQME4wFQYDVR0lBA4wDAYKKwYBBAGCNwoDBDAqBgNVHREEIzAhoB8GCisGAQQBgjcUAgOgEQwPVHJhdmlzQGRvZ3dvb2QAMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAJplSd5TXGT3jvX7aK3C+pohVRl/VfyigGFGU/AvX+oiqy+dCy4pw7Ee/luDkHCfReWG1aEIS3w7cSf8fHKsS5e339V4HsMVY7YaFyyQV7xzEuCMnDIIClcexF6Bm4LZQXcvojrYdnt0gedrmXi450N+YA5k/qGkMz4EFKv4rdxJxT2NVc6Lrv+ZfZJU0yHz74krbuG1I181+MtcKwfmKIzjU+HZ6PrwJktH2XO6rEP/yDg6gKSokJyi7OLpbVoKVN1obYmeB0PbAQChvEhCDNrbDMOkEEnhYlta6sdMLvIqbfRFvqjKGEqpMTEetijll70vEduJD9zsL6VRusIJ/pI=</X509Certificate> </X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2010-08-27T05:25:46.360Z" Recipient="https://localhost:9031/sp/ACS.saml2"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2010-08-27T05:24:46.359Z" NotOnOrAfter="2010-08-27T05:25:46.359Z"> <AudienceRestriction> <Audience>localhost:default:entityId</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2010-08-27T05:24:46.360Z" SessionIndex="_4da72941-e6da-4e59-af4f-2e0d3ea853a9"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> </AuthnContext> </AuthnStatement> <AttributeStatement> <Attribute Name="FooUrl" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <AttributeValue>https://localhost/SpSample/?foo=bar</AttributeValue> </Attribute> </AttributeStatement> </Assertion> 2010-08-26 22:25:04,472 tid:8ec06a77f DEBUG [org.sourceid.common.dsig.XmlSignatureUtil] Transformed XML: <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e31ba86e-98b0-48bb-b5f4-deed6156240d" IssueInstant="2010-08-27T05:24:46.360Z" Version="2.0"> <Issuer>localhost:default:entityId</Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2010-08-27T05:25:46.360Z" Recipient="https://localhost:9031/sp/ACS.saml2"></SubjectConfirmationData> </SubjectConfirmation> </Subject> <Conditions NotBefore="2010-08-27T05:24:46.359Z" NotOnOrAfter="2010-08-27T05:25:46.359Z"> <AudienceRestriction> <Audience>localhost:default:entityId</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2010-08-27T05:24:46.360Z" SessionIndex="_4da72941-e6da-4e59-af4f-2e0d3ea853a9"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> </AuthnContext> </AuthnStatement> <AttributeStatement> <Attribute Name="FooUrl" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <AttributeValue>https://localhost/SpSample/?foo=bar</AttributeValue> </Attribute> </AttributeStatement> </Assertion> 2010-08-26 22:25:04,550 tid:8ec06a77f DEBUG [org.sourceid.common.dsig.XmlSignatureUtil] Digest [base64 encoded SHA-1]: WxH1MlSyFAlbRx0jlbuvwH27UrY= Any help or tips would be *much* appreciated. TIA! -- Regards, Travis Spencer