On 4/6/11 5:19 PM, "Brandon Moser" <[email protected]> wrote: >\So, we decided to use a Transform that allows for whitespace changes, >but we are still receiving False when attempting to check the signature >immediately after signing.
As others said, there is no such transform, and SAML is totally explicit about the allowable transforms. The advice from the other poster was correct, you should be using Enveloped followed by Excl C14N, period. > It appears in the log file that the Pre-Digest value before signing >doesn't contain the SignatureValue and DigestValue (expected), yet after >signing the checkSignatureValue contains both Signature & Digest values, >which I would believe cause the digest to be different. Enveloped signatures exclude the Signature element, that's how they work. >I have tried to use the Online validator and oxygen's validator and both >return, "Signature Invalid". Then your XML is bad. There's virtually no question on it, you've simply broken it during serialization. Rather than spend time trying to avoid fixing that, just change how you're serializing and make sure you know it's not adding any whitespace or breaking namespaces somehow. Note that if you're taking a signed Assertion and adding that to a Response, any number of bugs can break the result. Using off the shelf XML processing is virtually guaranteed to break the signature, which is why most SAML toolkits do their own XML processing. -- Scott
