Re: [OT] Issues with XMLDSIG

Mon, 13 Mar 2023 11:12:06 -0700 

Zdeněk,

On 3/13/23 12:57, Zdeněk Henek wrote:

I have implemented SAML 2.0 Service Provider using
https://github.com/spring-attic/spring-security-saml  It is not developed
anymore, but ...

I don't have my dev env available till Sunday, if you would like I could
use your Okta configuration next week to connect to my service provider to
see how it works.

Do you use directly the Shibboleth SP library or any other library to
implement Service Provider?
I use the Jaa XML dsig APIs directly. There is no supporting library such as sprint-security-saml, Shibboleth, OpenSAML, etc. 


Does your service provider work fine if you use another Identity Provider
e.g. MS ADFS server?
Yes. Our code works with other SAML implementations including MS AD-SAML, VMWare Identity Manager, PingFed, and a few things where I'm not sure what the partner is actually using.
So we know the code we have is /mostly/ applicable. I'm having trouble tarcking-down why this particular provider's SAML responses are failing to validate. 

Thanks,
-chris


On Mon, Mar 13, 2023 at 3:27 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


All,

I'm having a bit of trouble validating a SAML response which has been
signed by Okta (who know a thing or two about signed XML), and the code
I'm using was written by me using the basic Java XML security APIs, so
I'm thinking there is something off with what I'm doing.

If anyone has some experience with XMLDSIG in Java, I'd be grateful for
any help you might be able to provide.

Okta is providing two signatures: one for the assertions and one for the
overall SAML response (i.e. the whole XML document). The signatures
appear to be correct, but "core validation" is failing because of the
<Reference> in the signature.

I've been single-stepping through the process with a debugger and it
looks like something is going wrong with the XML canonicalization, but
I'm in a little over me head.

Any help would be appreciated.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to