We have a web application which allows SSO authentication using SAML 2.0
The customer will use their federated server (various flavors) to generate an HTTP Post request with a SAML Response which contains a digitally-signed SAML Assertion.
Our code will take the SAML Assertion and validate the digital signature.
We basically follow the code examples from the following page:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html
Under the section titled "What if the XML Signature Fails to Validate, it states that we can do a couple things to see what actually failed: The signature, or one (or more) of the reference elements.
In our customer's case, the Signature element has just one Reference element and it is referencing the SAML Assertion element.
The verification check is failing. It states that the signature validates okay, but the reference does not.
Note that the customer and I have double-checked that we have the correct public key certificate associated with the private key certificate they are using to sign the assertion.
I'm not sure what to check at this point. The customer claims that they use their software to connect to dozens of other vendors without any problems and so they feel the problem is on our side.
What can I do to determine why the reference element is not validating?
I did notice one interesting thing when looking at their SAML Assertion: The xmlns attributes are not what we normally get from our other customers. Here is what theirs looks like:
Notice that the Assertion element uses the "saml" namespace, but the xmlns attribute shows "xmlns:xs" instead of "xmlns:saml". Could this be the problem?
If so, is there something that needs to be done to our code (again, we're just using the code as shown by the above referenced Oracle page) to allow us to accept an assertion built this way?
Thanks,