Problem with SAML token with "sender vouches" option

[Montebove Luciano]

I'm trying to use a SAML token with WSS4J with the "sender vouches" option.

I followed the configuration tips in the interop files but while the client generate the assertion and sign both the assertion and the body of the message, server side I can verify only the body sign while I get always an error for the assertion sign:

 

16:08:51,515 WARN  [Reference] Verification failed for URI "#STRSAMLId-136"
16:08:51,515 INFO  [Reference] Verification successful for URI "#id-137"
16:08:51,531 INFO  [STDOUT] org.apache.ws.security.WSSecurityException: The sign
ature verification failed
16:08:51,531 INFO  [STDOUT]     at org.apache.ws.security.processor.SignaturePro
cessor.verifyXMLSignature(SignatureProcessor.java:327)

 

My Axis configuration client side is:

   <requestFlow >
    <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
                    <parameter name="action" value="Timestamp SAMLTokenSigned"/>
                    <parameter name="samlPropFile" value="saml3.properties"/>
                    <parameter name="signatureKeyIdentifier"
                               value="DirectReference"/>

</handler>
   </requestFlow >

 

and server side is:

   <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
    <parameter name="action" value="Timestamp Signature SAMLTokenUnsigned"/>
    <parameter name="signaturePropFile" value="pa-crypto.properties" />
   </handler>
  </requestFlow>

 

Quite strange if I use the "keyHolder" option (with little changes to the Axis configuration as described in interop files)  all works fine with the same keystore.

 

Thanks

 

Luciano Montebove