views:

47

answers:

1

Hi All, We are using OpenSAML on the Service Provider Site to provide SSO for our clients. Our client(ID Provider) is using OpenSSO on their end. The SAML Response being posted by OpenSSO is a little different when it comes to the signature element in that it is not qualified by the namespace. This doesn't seem to go down well with OpenSAML and it returns a null from the samlResponse.getSignature() method, due to which I cannot validate the signature.

Signature Snippet of the SamlReponse that is causing the issue

 <Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
 <SignedInfo>
 <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
 <Reference URI="#s2d10cccbd58d1f78c2c76c74c82a236548c929ffd">
 <Transforms>
 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/&gt;
 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
 </Transforms>
 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
 <DigestValue>j+KBoDOtEcyCquPTxRCXoBulStQ=</DigestValue>
 </Reference>
 </SignedInfo>
 <SignatureValue>
 Dv+owuZfGFymGGrw2gHA3/7GVC6mXt8JMW+tOvmtnjTRJZaDE+Nb2NCngio1Tnqu4LWnvVrry4Wk...
 6QcIJi/kGc4YFMSQj/Q=
 </SignatureValue>
 <KeyInfo>
 <X509Data>
 <X509Certificate>
 MIIEhDCCA+2gAwIBAgIQXxhipi2wpPxWi7MTVfFVHDANBgkqhkiG9w0BAQUFADCBujEfMB0GA1UE...
 78Q/lRQuBhHMy02lKctnwjBeEYA=
 </X509Certificate>
 </X509Data>
 </KeyInfo>

Signature snippet from another SAML Response that works

 <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"&gt;
       <dsig:SignedInfo>
   <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
   <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&gt;
   <dsig:Reference URI="#id-TtLltjcBSOAJ6OipumUEj8o0Qag-">
      <dsig:Transforms>
     <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/&gt;
     <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/&gt;
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/&gt;
      <dsig:DigestValue>5c95zhA139qzMvZA2A445F3LWaU=</dsig:DigestValue>
   </dsig:Reference>
       </dsig:SignedInfo>
       <dsig:SignatureValue>JsmRFJn1CjClHs4rf0hrwKzOq6ZtmnOEm/PNiaJvYurko/ZP+PApWhk55x0unIVwZ6XDv3k8Dj81WqUl07J0Dkvzp71bccIgiGTRzoNPT71nBAXxJmZiXz51JWctg13zjxP0oQMSpWytKCrFkCkJ0So3RQl3WixYV3miK0YjJnM=</dsig:SignatureValue>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
 </ds:KeyInfo>

As you can see above the signature snippet from the OpenSSO server does not contain the namespace qualifier as specified in the SAML Bindings spec.

The last option for me would be to do some massaging of the SAMLResponse that is posted to prepend the namespace to the signature elements to make the OpenSAML libraries work.

Any ideas on how to solve this using the OpenSAML libraries highly appreciated.

Thanks in advance CJ