Hi Colm,
thanks for your reply and sorry for the late response.
We are now seeing the root cause of the problem because the client sends us
an empty reference ID in the signature block.
I can only post parts of the SAML2-Assertion:
<saml2:Assertion ID="cc847542-81eb-4720-9068-d9de7d892dcd"
IssueInstant="2020-01-22T13:35:44Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>XXXX</saml2:Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<*Reference URI=""*>
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>yk65BmkjJAF9MTQ927JPMNpoBbQ=</DigestValue>
</Reference>
</SignedInfo>
</KeyValue>
</KeyInfo>
</Signature>
The signature check in the used library (WSS4J + Santario?) of apache CXF
will now check the signature of the whole soap message instead of only saml
assertion because of the empty URI in tag reference. The digest of the whole
soap message will never be the same like the saml2 assertion. So it will
never work this way.
The reference URI must be the SAML Assertion ID
(cc847542-81eb-4720-9068-d9de7d892dcd) to have a correct scope right?
Do you have any idea if there is a configuration option, so that the
reference resolution will not work this way? Or is this just an invalid
signature in scope of a soap message?
We have checked the saml assertion standalone - the signature check with
other tools is successfull, so the signature itself is correct. The saml
assertion in context of a soap message will lead to an error...
We are using Apache CXF 3.3.4...
Thanks
Jens
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
