Yes, we are using the Enveloped Signature Transform. The Signature is inside the saml2:Assertion element, which is nested inside of the saml2:Response element.
What we're beginning to wonder is if the signature is actually being ignored during the check. What is the best way to determine what is being checked and what is not? On Apr 6, 2011, at 4:51 PM, Pellerin, Clement wrote: > Is the Signature element within the scope of one of your references? > For example, that happens when the Reference is the whole document. > To make those signatures verifiable, you need the Enveloped Signature > Transform > to ignore the Signature element when computing the digest. > > -----Original Message----- > From: Brandon Moser [mailto:[email protected]] > Sent: Wednesday, April 06, 2011 5:20 PM > To: [email protected] > Subject: Re: Issue in Verifying Signing > > So, we decided to use a Transform that allows for whitespace changes, but we > are still receiving False when attempting to check the signature immediately > after signing. It appears in the log file that the Pre-Digest value before > signing doesn't contain the SignatureValue and DigestValue (expected), yet > after signing the checkSignatureValue contains both Signature & Digest > values, which I would believe cause the digest to be different. Is it > possible to check the signature value immediately after signing and get a > valid response of True? > > I have tried to use the Online validator and oxygen's validator and both > return, "Signature Invalid". We have included the public RSA key in the > output in any attempt to validate this output. Since we are development the > data is not valuable, I have attached the XML output and the log. >
