Brent, Thanks for your help. I am using Xerces and the application server is ColdFusion MX 7. I know I have seen the version within ColdFusion before; I want to say it is 2.4, but that might be wrong. Thanks, Phil -----Original Message----- From: Brent Putman [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 23, 2007 5:07 PM To: security-dev@xml.apache.org Subject: Re: "Cannot resolve element with ID" Error
Phillip Duba wrote: Hopefully someone can point me in the right direction to solve this problem. I have a SAML 1.1 Assertion being verified, however, it fails verification as I receive a "Cannot resolve element with ID ." error. The issue arises, from what I can tell doing a Google search, is that the SAML Assertion 1.1 schema has the AssertionID of type ID but no ID attribute so the Reference lookup fails. Below is my logic for verification: The library's IdResolver has to be able to work, i.e. resolve the References properly. It primarily uses Document#getElementById. And in order for that to work, usually the Attr nodes have to be marked as DOM ID attributes (at least Xerces works that way, maybe some parsers just do a brute force traversal). That happens if you do schema validation. So if you can validate, then that will solve it. For non-validation use cases, the IdResolver also has some hardcoded support for certain attribute names in certain namespaces, and and for quite awhile (a year ago) has had support specifically for SAML 1.1 ID attributes (AssertionID, ResponseID, RequestID). Although there was a bug with the SAML 1.1 stuff and it was only fixed recently, in the latest release (1.4.1). The system configuration versioning is limited by an application server and is: JDK 1.4.11 XML Apache Security Library 1.2.0 with xmlsec-1.2.96.jar Pretty sure that version is too old to have the SAML 1.1 support described. If you can't upgrade to a newer library version, then I think your only options are: 1) validate the DOM against the SAML 1.1. schema before you attempt signature verification 2) manually preprocess the DOM and mark the ID attributes before you attempt signature verification. Most of the solutions I have found have focused on DOM3 capabilities which I do not have access to or using an IdResolver with which I have had no luck. Any help would be If you don't have DOM 3, then solution 2 above won't work - AFAIK, you have to use one of the Element#setId* methods, and I believe those are all DOM 3. So you can try schema validation, or find some other way to get Document#getElementById to work correctly. You didn't mention what parser, version, etc you are using, but I'd say that is going to be what you have to solve. --Brent
