Thanks Cantor, I did check with checksig utility, see the details in
http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip- part-2.html It output " Signature verified OK! " So, If Apache is right, then F5 is wrong. If F5 is right, then Apache is wrong. Mike -----Original Message----- From: Cantor, Scott [mailto:canto...@osu.edu] Sent: 06 June 2013 17:05 To: dev@santuario.apache.org Subject: RE: XML canonicalization > Do you admit Apache Santuario was wrong on XML canonicalization? No, but that's strictly from a quick eyeballing. The signature is missing a transform specifying the c14n process to follow during the reference step. That means the actual data to digest is handled with inclusive c14n 1.0, not by exclusive. They are, I think, confusing the explicit choice of Exclusive C14n in the SignedInfo portion, but that doesn't apply to the Reference step. If I followed your email, you're saying the Santuario output of the Response is based on following Inclusive, and I believe that's correct. But I don't have time right now to dig in exhaustively. You might try validating your example using the C++ version of Santuario via the checksig utility, or with OpenSAML's samlsign utility as a way to get more evidence that it's correct. -- Scott
