Metadata resolver is looking at ID instead of entityID

Brent Putman putmanb at
Tue Aug 7 16:48:18 EDT 2018

On 8/7/18 3:23 PM, Brent Putman wrote:
>> The dev has checked the code on their side and found no issues in the
>> signature.
> Well, the digest at validation time is different than it was at
> signature time.  So that's the issue, period.  Either there is a bug
> in the signing code or the document really has been changed since it
> was signed.  Only you and/or your developer are in a position to
> diagnose the root cause there.  Quadruply so if your local developer
> is writing their own XML Signature code, or trying to implement a
> custom SP with a third-party XML Signature library.

Just FYI, I forgot that we have some info in our wiki for
troubleshooting signature problems (ignore the warning at top, we
haven't moved content to OpenSAML 3 wiki):

In particular look at # 4 and 5.  If your signature won't validate using
one of the tools listed in #4, then the problem is on your side.

For #5, you'd want to compare the "pre-digest" value from the Shib IdP
with the same from your SP side prior to signing.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list