I'm trying to decrypt and verify an SAML assertion using the C++ XML library.
Without encryption, using only the digital signature, this works fine: The overall details are that an SAML assertion is embedded in a SAML response and signed (the assertion) in situ with the Apache XML-Sec library for Java. The problem is that the hashes don't match - the signature verifies OK. The problem seems to be that the transform applied before computing the hash lets the name spaces float outside the assertion - this is what actually gets hashed when trying to verify: xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns="urn:oasis:names:tc:SAML:2.0:assertion"<saml:Assertion ID="ID_0A302010011D2400070983450183BFEE" IssueInstant="2007-01-01T00:00:00.000+01:00" Version="2.0"> ... <<DELETED FOR CLARITY>> ... </saml:Assertion> However, when the object is signed, the same transformation yields an assertion which includes the namespace declarations, so the text which is hashed in the two cases is not the same. As I said, this problem is only seen when encrypting the document, when the signature is verified without encryption, everything checks out, and the hashed assertion has the namespaces embedded, not floating outside. Incompability between the two implementations (Java and C++), or am I missing something? best regards Carsten Agger, Denmark
