我使用 OpenSaml 库,我想验证嵌入在未签名的 SAMLResponse 中的签名断言(XML 签名)。验证总是失败,有没有一种方法可以在没有父级(响应)的情况下验证签名的断言?或者,还有另一种方法吗?
这里的问题是,当我签署断言时,签名的 id 引用的是响应而不是断言。因此,我通过将签名的 id 引用到断言而不是响应来解决此问题。请参阅此处(第 71 页,第 5.4.2 节)
5.4.2 References
SAML assertions and protocol messages MUST supply a value for the ID attribute on the root element of
the assertion or protocol message being signed. The assertion’s or protocol message's root element may
or may not be the root element of the actual XML document containing the signed assertion or protocol
message (e.g., it might be contained within a SOAP envelope).
Signatures MUST contain a single <ds:Reference> containing a same-document reference to the ID
attribute value of the root element of the assertion or protocol message being signed. For example, if the
ID attribute value is "foo", then the URI attribute in the <ds:Reference> element MUST be "#foo"