Signature Verification Error? [repost]

massimiliano.masi at massimiliano.masi at
Wed Aug 8 10:37:07 EDT 2012

Hi All,

I am reposting this message, since it looks like that it was fall in a
black hole, after a slight misunderstanding,
because of my english! :-)

Using OpenSAML I correctly validate the signature of an assertion that has
as Subject Confirmation Data the following


When I add this assertion to a newly created security header, DOM is
pushing the namespace in the security header element, as:

<wsse:Security xmlns:wsse="

causing the keyInfo of the Subject Confirmation Data to be:

<wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="

and this seems to break the validation of the saml assertion:

Caused by: org.opensaml.xml.validation.ValidationException: Signature did
not validate against the credential's key


How to avoid this situation? The assertion's SignedInfo is:


            <ds:CanonicalizationMethod Algorithm=""/>

            <ds:SignatureMethod Algorithm=""/>

            <ds:Reference URI="#uuid-d8840a0d-fa90-4522-806e-edc8dc427d2b">


                <ds:Transform Algorithm=""/>

                <ds:Transform Algorithm=""/>


              <ds:DigestMethod Algorithm=""/>




AFAIK, the two xmls are semantically equivalent, thus the signature shall
behave the same, or am I wrong?

Massimiliano Masi
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list