authnrequest invalid signature

Forum topic: Submitted by wietse8 on Wed, 2010-12-22 19:44. Last updated on Wed, 2010-12-22 19:51.

i receive a 'invalid signature' from the IDP (</samlp:StatusCode>), what causes this message to appear? what part of the authnrequest should be signed? and how does the idp validate it? i dont understand how it is possible that the element with the signature is within the element that needs to be signed (root?) (if that is the case)

‹ HOW TO PARSE SAML2 ARTIFACT How to find encryption details of SP initiated message? ›

Request Signatures

conor | Thu, 2010-12-23 14:13

  1. The AuthnRequest doesn't have to be signed unless the IdP requires it or the SP tells the IdP that it will always sign the request.
  2. The entire message should be signed (see the RequestAbstractType in the Core specification for a description of the signature element and Section 5 in the Core specification for a description of using Signatures).
  3. The IdP applies standard XML signature validation processes to validate the signature itself and then applies its own internal policies on the acceptability of the key used in the signature.
  4. XML Signature allows for a signature to be encapsulated in the element being signed.  The signature does not apply to the signature itself.  Review section 5 of the core specification as well as the XML Signature specs for more details.  XML Signature libraries typically understand this type of enveloped signature.
XML.org Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | XML.org | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | WS-I

Hosted by:

OASIS