Metadata resolver is looking at ID instead of entityID
Brent Putman
putmanb at georgetown.edu
Tue Aug 7 16:48:18 EDT 2018
On 8/7/18 3:23 PM, Brent Putman wrote:
>>
>> The dev has checked the code on their side and found no issues in the
>> signature.
>
> Well, the digest at validation time is different than it was at
> signature time. So that's the issue, period. Either there is a bug
> in the signing code or the document really has been changed since it
> was signed. Only you and/or your developer are in a position to
> diagnose the root cause there. Quadruply so if your local developer
> is writing their own XML Signature code, or trying to implement a
> custom SP with a third-party XML Signature library.
>
>
Just FYI, I forgot that we have some info in our wiki for
troubleshooting signature problems (ignore the warning at top, we
haven't moved content to OpenSAML 3 wiki):
https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManSigErrors
In particular look at # 4 and 5. If your signature won't validate using
one of the tools listed in #4, then the problem is on your side.
For #5, you'd want to compare the "pre-digest" value from the Shib IdP
with the same from your SP side prior to signing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180807/4d5b7d69/attachment.html>
More information about the users
mailing list