[xmlsec] Verifing signature of SAML XML artifacts that has an ID attribute in it, but I think I should ignore it

James Olsen jamesml at planetolsen.com
Thu May 24 02:18:00 PDT 2007

Hello Aleksey,

I am in need of some assistance determining the proper values to use
when invoking the xmlSecFindNode function call in order to get the
specific node I am looking for.

AS> You can not ignore the ID attribute because it is used to search
AS> the piece of the XML you want to sign...

AS> If you load xml file yourself, then you might try to use xmlAddID()
AS> function (search xmlsec command line utility source code for an
AS> example).

Okay. I did some additional digging into the SAML spec and XML
signatures, at at this URL:

I found this information:

  The first step in specifying coverage with an enveloped signature is
  to include a single Reference element with a URI that directs the
  signature processor to include XML content from within the document
  containing the signature. This can be accomplished either with an
  empty URI ("") or with a fragment identifier ("#1234"). The latter
  syntax requires that it be possible to include special ID attributes
  in the signed element content, but SAML 1.0 does not permit this.
  Therefore an empty reference URI is the only mandatory syntax that
  can be used to indicate the "current document" as the source of

Given the SAML/XML information above, and looking at the sample SAML
artifact I sent in the last post, the 'dsig:Reference' element has a
URI attribute value of '#id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-', which seems
to be a fragment identifier as mentioned above. The element in the
document that has that same ID is the 'saml:Assertion' element. If I
understand things right, I need to pass the 'saml:Assertion' node to
xmlAddID(), correct?

I am loading the XML file myself into memory, and I found some example
code you posted for someone else (called registerID) and implemented
it. If I understand what I need to do correctly, I will find the
appropriate node using xmlSecFindNode() and then pass that node to the
registerID() function.

Again, showing my ignorance, the third parameter to xmlSecFindNode()
appears to be the namespace. I originally thought this would mean the
text before the colon of the element, but as I read the comments in
xmltree.c I see it's supposed to be a href, which I confirmed by
looking at the actual value being passed in the verify3
example. It had value of "http://www.w3.org/2000/09/xmldsig#"

I've tried (all are wild guesses as to the proper values):
 nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "Assertion", NULL );
 nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "saml:Assertion", NULL );
 nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "Assertion", xmlSecDSigNs );
 nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "saml:Assertion", xmlSecDSigNs );

but none of them found the node (nodeReference was null after the

What values should I pass for the element name and namespace
href, or what should I do differently in order to get that node passed
to xmlAddID()?

As an aside, my code, borrowed almost verbatim from the "verify3"
program functions fine with the provided example files and without my
additional code to add this ID. For example, this call to
xmlSecFindNode works just fine, and is immediately above my call to

 node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);

Thank you..


More information about the xmlsec mailing list