|

»

SAML with Sender Vouches: Reference validation failure

View: New views

3 Messages — Rating Filter: Alert me

	SAML with Sender Vouches: Reference validation failure by metro-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello All, I have a Scenario here wherein I have a WSIT client calling an Oracle Web Service expecting a SAML token using Sender vouches confirmation method. There is a failure when I run the above scenario. The attached file has the error. I notice in the request that the signature reference for the Saml assertion has an extra c14n transform algorithm element with inclusive namespaces for S, wsse and wsu. ----- <ds:Reference URI="#31c747c4-d80d-481a-a4e2-531111834178"> <ds:Transforms> <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </wsse:TransformationParameters> </ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <exc14n:InclusiveNamespaces PrefixList="wsu wsse S" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>wj4VyOmswlwSoEyFXx3Q1zZnFIo=</ds:DigestValue> </ds:Reference> ----- I am a bit confused as to why this extra step of canonicalization is required since there is an STR transform that does c14n. Also the SAML assertion does not have an of the namespaces mentioned above.. Can someone throw some light on this? IS this a WSIT bug? Thanks - Prasanth [Message sent by forum member 'prashi123' (prashi123)] http://forums.java.net/jive/thread.jspa?messageID=287361 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@...
	Re: SAML with Sender Vouches: Reference validation failure by metro-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message An Update: When I turn on the logging for security, I see the following entry for the canonicalized target value for the Saml assertion: ------------------------------------------------------------------------------------ [#\|2008-07-18T08:42:37.569-0700\|FINEST\|sun-appserver9.1\|com.sun.xml.wss.logging.impl.opt.signature\|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8080-0;ClassName=com.sun.xml.ws.security.opt.crypto.dsig.Transform;MethodName=transform;_RequestID=b2b8189a-6ec5-4101-9710-da5d3cca1878;\|WSS1757: Canonicalized target value: <saml:Assertion xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" AssertionID="1216395757038" IssueInstant="2008-07-18T08:42:37.038-07:00" Issuer="CN=Assertion Issuer,OU=AI,O=Assertion Issuer,L=Waltham,ST=MA,C=US" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2008-07-18T07:42:37.038-07:00" NotOnOrAfter="2008-07-18T09:42:37.038-07:00"><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US<saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches<saml:Attribute AttributeName="attribute1" AttributeNamespace="urn:com:sun:xml:wss:attribute"><saml:AttributeValue xmlns:ns5="http://www.w3.org/2001/XMLSchema-instance" ns5:type="[b]ns6:string">ATTRIBUTE1[/b]\|#] ------------------------------------------------------------------------------------------ The Saml Assertion seems to be truncated [see bold above]. It is missing the remaining part: </saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion> [Message sent by forum member 'prashi123' (prashi123)] http://forums.java.net/jive/thread.jspa?messageID=287642 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@...
	Re: SAML with Sender Vouches: Reference validation failure by metro-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, was this ever resolved we are seeing the exact same thing in metro 1.4 over 1 year later [Message sent by forum member 'vlewis' (vlewis@...)] http://forums.java.net/jive/thread.jspa?messageID=369661 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@...