Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okta service integration {error, bad_digest} (lack of support of InclusiveNamespaces?) #7

Closed
IgorKarymov opened this issue Oct 29, 2013 · 3 comments
Closed

okta service integration {error, bad_digest} (lack of support of InclusiveNamespaces?) #7

IgorKarymov opened this issue Oct 29, 2013 · 3 comments
Assignees
@arekinath

Comments

@IgorKarymov
Copy link
Contributor

Signature verification is working fine when AttributeStatement is not presented.
But if okta started send user attributes i got {error,bad_digest} error.
I noticed that difference between this responses in additional child for Transform element:

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"></ec:InclusiveNamespaces>
</ds:Transform>

https://drive.google.com/#folders/0BzsH_XaDBRd7SV9XLWVLLWlzMlk
@arekinath
Copy link
Owner

Is this the actual XML it's presenting? Without any xmlns: attributes? It seems weird that something that's asking for an InclusiveNamespace would not declare any namespaces at all, since the point of that option is to ask for a namespace to not be moved around...

@ghost ghost assigned arekinath Oct 30, 2013
arekinath added a commit that referenced this issue Oct 30, 2013
@arekinath
c14n: handle nested default namespaces properly
4d785c1 
This should help with issue #7, and possibly #2 too
@IgorKarymov
Copy link
Contributor Author

You are right this was wrong xml. I updated initial post with link to correct one.
On this time output obtained
with xmlstarlet c14n --exc-with-comments esaml_canon.xml 'xs'> libxml_canon.xml
exactly the same as we got with esaml canonization procedure.

arekinath added a commit that referenced this issue Oct 31, 2013
@arekinath
Add InclusiveNamespace support to xmerl_dsig
b6f3a91 
After this, we also check the signature method and c14n method to make
sure they're the ones that we actually support (now we will crash
if they are not).

Will add some tests for this later, generating small XML to test
it is quite complicated at the moment (since they need to be signed in
the new canonical form).

Probably solves #7
@arekinath
Copy link
Owner

I can successfully verify the xml from your google drive now, after b6f3a91. Want to test again and let me know how it goes?

c-bik referenced this issue in KonnexionsGmbH/esaml Apr 16, 2017
@walter-weinmann
Merge pull request #7 from walter-weinmann/wwe_rebar3
e7ab010 
Migration to rebar3.
zvoykish added a commit to zvoykish/esaml that referenced this issue Aug 3, 2017
@zvoykish
Merge pull request arekinath#7 from zvoykish/master
43252ea 
TS-2979 - SAML: enhancement Auto-populate SAML username field with TT…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arekinath arekinath

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IgorKarymov @arekinath