Phillip Duba wrote: > > Hopefully someone can point me in the right direction to solve this > problem. I have a SAML 1.1 Assertion being verified, however, it fails > verification as I receive a “Cannot resolve element with ID …” error. > The issue arises, from what I can tell doing a Google search, is that > the SAML Assertion 1.1 schema has the AssertionID of type ID but no ID > attribute so the Reference lookup fails. Below is my logic for > verification: > > > >
The library's IdResolver has to be able to work, i.e. resolve the References properly. It primarily uses Document#getElementById. And in order for that to work, usually the Attr nodes have to be marked as DOM ID attributes (at least Xerces works that way, maybe some parsers just do a brute force traversal). That happens if you do schema validation. So if you can validate, then that will solve it. For non-validation use cases, the IdResolver also has some hardcoded support for certain attribute names in certain namespaces, and and for quite awhile (a year ago) has had support specifically for SAML 1.1 ID attributes (AssertionID, ResponseID, RequestID). Although there was a bug with the SAML 1.1 stuff and it was only fixed recently, in the latest release (1.4.1). > > > > The system configuration versioning is limited by an application > server and is: > > > > JDK 1.4.11 > > XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar > Pretty sure that version is too old to have the SAML 1.1 support described. If you can't upgrade to a newer library version, then I think your only options are: 1) validate the DOM against the SAML 1.1. schema before you attempt signature verification 2) manually preprocess the DOM and mark the ID attributes before you attempt signature verification. > > > Most of the solutions I have found have focused on DOM3 capabilities > which I do not have access to or using an IdResolver with which I have > had no luck. Any help would be > If you don't have DOM 3, then solution 2 above won't work - AFAIK, you have to use one of the Element#setId* methods, and I believe those are all DOM 3. So you can try schema validation, or find some other way to get Document#getElementById to work correctly. You didn't mention what parser, version, etc you are using, but I'd say that is going to be what you have to solve. --Brent
