To be honest, I'm not sure if the fact that the Assertion needs to be signed and not the entire response is a SAML 2.0 thing or a limitation of our implementation. I inherited the code and was told (by the original author) that it had to be that way.
Rob Spoor wrote:Odd, I've worked with PicketLink and it works just fine like that. Of course it should also be possible to sign other parts like you do.
Rob Spoor wrote:As I said before, without that namespace declaration the document is not valid XML. That could well be the root of your problems. Make them include it.
I see no mention of "xmlns:saml" in the customers XML document at all.
Rob Spoor wrote:I take it there is a reference to the saml namespace (xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion")?
Rob Spoor wrote:What happens if you try to validate the response instead of only the assertion? I've so far only seen signatures that refer to the entire response. Of course this would mean that the other side would be incorrectly signing their documents.