I'm having *exactly* the same problem - did you get this solved in the end?
Sam On Jan 30, 6:59 pm, David Cifuentes <[email protected]> wrote: > Hello, > > I'd like to sign the XML of theSAMLresponse with pure PHP 5 (no > command line calls of xmlsec1). I've seen that the simplesamlphp > projecthttp://rnd.feide.no/simplesamlphpdoes exactly this with the > xmlseclib.php library. I tried to port the xml signature part to my > app but the signed response is not valid to Google. Here is what I > did: > > public static function signResponse($responseXmlString, $pubKey, > $privKey) { > $xml = new DOMDocument(); > if(!$xml->loadXML($responseXmlString)) { > throw new Exception(); > } > /* Load the private key. */ > $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array > ('type' => 'private')); > $objKey->loadKey($privKey, true); > > /* Get the EntityDescriptor node we should sign. */ > $rootNode = $xml->firstChild; > > /* Sign the metadata with our private key. */ > $objXMLSecDSig = new XMLSecurityDSig(); > $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); > > $objXMLSecDSig->addReferenceList(array($rootNode), > XMLSecurityDSig::SHA1, > array('http://www.w3.org/2000/09/xmldsig#enveloped- > signature', XMLSecurityDSig::EXC_C14N), > array('id_name' => 'ID')); > > $objXMLSecDSig->sign($objKey); > > /* Add the certificate to the signature. */ > $publicCert = file_get_contents($pubKey); > $objXMLSecDSig->add509Cert($publicCert, false, false); > > /* Add the signature to the metadata. */ > $objXMLSecDSig->insertSignature($rootNode, $rootNode- > > >firstChild); > > /* Return the DOM tree as a string. */ > return $xml->saveXML(); > } > > The signed XML looks like: > > <samlp:Response xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="pfx091359c1-a7ef- > e501-0455-1323df8d6502" IssueInstant="2009-01-30T17:34:01Z" > Version="2.0" Destination="https://www.google.com/a/unbosque.edu.co/ > acs" > InResponseTo="aalpmhflehehnnbngdfaddelckndjiihfflakfhc"><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/ > xmldsig#rsa-sha1"/> > <ds:Reference URI="#pfx091359c1-a7ef- > e501-0455-1323df8d6502"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ > ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/ > xmldsig#sha1"/><ds:DigestValue>VVXUdt2Ob/kFv4mupa07P/ViEU4=</ > ds:DigestValue></ds:Reference></ > ds:SignedInfo><ds:SignatureValue>FBzpPMcX5yms0exp8e4uga7hrYOqr > +UprkYhp0RbCePPWt/JUt2Nu5F5kkWK+Cj2QRsEUejsHO6s > +zLMgb0MP7LrtJiEKRk59MY7xtQPrF1ieKEj7Zjvu2ap0juFLCkchJ9/ > xORUSsrEVTc6AhM2iZjr2YKqioY8fDhtXk7kQF0=</ds:SignatureValue> > <ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ > ds:X509Data></ds:KeyInfo></ds:Signature> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod Algorithm="http://www.w3.org/TR/ > 2001/REC-xml-c14n-20010315#WithComments"/> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/ > xmldsig#rsa-sha1"/> > <Reference URI=""> > <Transforms> > <Transform Algorithm="http://www.w3.org/2000/09/ > xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/ > xmldsig#sha1"/> > <DigestValue/> > </Reference> > </SignedInfo> > <SignatureValue/> > <KeyInfo> > <KeyValue/> > </KeyInfo> > </Signature> > <samlp:Status> > <samlp:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/ > > </samlp:Status> > <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > ID="jlmaghekccjbghadceopcgoefkepgphaleaclemn" > IssueInstant="2009-01-30T17:34:01Z" Version="2.0"> > <Issuer>unbosque.edu.co</Issuer> > <Subject> > <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid- > format:emailAddress"> > cifuentesandres > </NameID> > <SubjectConfirmation Method="urn:oasis:names:tc:SAML: > 2.0:cm:bearer"> > <SubjectConfirmationData > Recipient="https://www.google.com/a/ > unbosque.edu.co/acs" NotOnOrAfter="2009-01-30T17:44:01Z" > InResponseTo="aalpmhflehehnnbngdfaddelckndjiihfflakfhc"/> > </SubjectConfirmation> > </Subject> > <Conditions NotBefore="2009-01-30T17:29:01Z" > NotOnOrAfter="2009-01-30T17:44:01Z"> > <AudienceRestriction> > > <Audience>https://www.google.com/a/unbosque.edu.co/acs</Audience> > </AudienceRestriction> > </Conditions> > <AuthnStatement AuthnInstant="2009-01-30T17:34:01Z"> > <AuthnContext> > <AuthnContextClassRef> > > urn:oasis:names:tc:SAML:2.0:ac:classes:Password > </AuthnContextClassRef> > </AuthnContext> > </AuthnStatement> > </Assertion> > </samlp:Response> > > If anyone have used this library or can tell what's wrong I would > appreciate it. > > Thanks, > > David Cifuentes > Eforcers.com > Bogotá, Colombia --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
