Hi all, If we enable signature confirmation element generation, the SignatureConfirmation Action will generate Elements for every signature including signed SAML assertions/tokens. This has a few issues, namely:
1. The SAML assertion processor does not add a “signature-value” ( WSSecurityEngineResult.TAG_SIGNATURE_VALUE) so the signature confirmation associated with the signed assertion has no attribute value, which according to the spec, is: “If this attribute is specified with an empty value, the initiator SHOULD interpret this as incorrect behavior and process accordingly” 2. A signatureconfirmation must be generated for every ds:Signature processed including, as far as I can tell, a signed saml assertion. This results in bogus signatureconfirmations. I don’t know which part is wrong, but I do know a signature confirmation w/o a value is busted. Based on reading the source, the SAMLTokenSigned processor should fill in the signature value. Nimish
