Problem signing SAML document

178 views
Skip to first unread message

Christopher Sterling

unread,
Apr 21, 2014, 1:01:47 PM4/21/14
to xmlse...@googlegroups.com
Hello,

So, I'm having a problem I hope I can get some pointers on. I have a SAML document that I'm trying to create and I'm not having a whole lot of luck.

I've gotten it so the document is signed, but the issue I'm running into is on the providers end point, I'm getting the error digest value mismatch. What I'm guessing is happening is that the document is being signed, and then the signature is being added to the document, and then when it gets to their end, they pull out the signature, but in the process of pulling it out, I'm guessing it messes it up a little.

Here's the process that I'm using to create the signed document.

  $doc = new DOMDocument();
  $doc->formatOutput = true;
  $doc->preserveWhiteSpace = false;
  if($doc->loadXML($responseXmlString)){
    $objDSig = new XMLSecurityDSig();
    $objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
    $objDSig->addReference($doc->documentElement, XMLSecurityDSig::SHA256, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'));
    $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type'=>'private'));
    /* load private key */
    $objKey->loadKey( $privKey, TRUE);
    $objDSig->sign($objKey);
    /* Add associated public key */
    $objDSig->add509Cert(file_get_contents('gsukeys/academicworks_pub.pem'));
    $objDSig->appendSignature($doc->documentElement, true);
    $doc->save($tempFileName.'.out');
  }else{
    echo 'failed to parse document...';
  } 

This process works, it creates a signed document, the issue I'm running into is that on the providers end, it is a digest mismatch.

I've gone in and edited the xmlseclibs.php file to save the data that it's hashing and when I run what it hashes against the digest value, it does match. I'm just not sure how to best proceed. Thoughts? 

Rob Richards

unread,
May 29, 2014, 3:07:18 PM5/29/14
to xmlse...@googlegroups.com
How are you sending the document to them? Is it possible that whitespace is getting added somehow when sent?

Christopher Sterling

unread,
May 30, 2014, 10:05:06 AM5/30/14
to xmlse...@googlegroups.com
I ended up solving this. I found this: http://michaelseiler.net/2013/08/23/cas-and-google-sso-integration/ and was able to rework it and get it to work how I needed. Thanks for following up


On Monday, April 21, 2014 1:01:47 PM UTC-4, Christopher Sterling wrote:
Reply all
Reply to author
Forward
0 new messages