[xmlsec] Verifing signature of SAML XML artifacts that has an ID attribute in it, but I think I should ignore it

James Olsen jamesml at planetolsen.com
Thu May 24 14:44:27 PDT 2007

Hello Aleksey,

>>  nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "Assertion", xmlSecDSigNs );

AS> You need to pass *saml* namespace URI.

As obvious as that may seem, I appreciate your answer because it
wasn't obvious to me at the time (looking back at it now it amazes me
that I didn't realize that on my own). I am now using the
'urn:oasis:names:tc:SAML:2.0:assertion' namespace and xmlSecFindNode
found the node. Thank you!

The node I used I passed to RegisterID was:

 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
  ID="id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-" IssueInstant="2007-04-24T20:07:36Z">

and I used the attribute name "ID". I assume it is "ID" because that
is the name/case of the attribute in the Assertion element.

Here is the snippet of code:

 nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "Assertion", "urn:oasis:names:tc:SAML:2.0:assertion" );
 if ( nodeReference == NULL ) {
    fprintf(stderr, "Error: reference node not found in passed-in string n=%s ns=%s\n", "Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");
    // eventually they won't be hard coded, but variables, which is
    // why it's set up as a fprintf for now
    goto done;
  RegisterID( nodeReference, "ID" );

Unfortunately it seems to be the wrong node (or I've implemented
things incorrectly). The xmlSecFindNode returned the node, I passed
that to RegisterID which returned a success response (at least on the
first test run of the program, subsequent test runs return
"id already registered" response from RegisterID) but I'm still
getting this error:

func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'))

That's the same ID string that is identified in the 'dsig:Reference'
element's URI attribute: '#id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'.

I know this could easily be considered beyond xmlsec, and I am greatly
appreciative of the assistance I've received so far. Please know that
any advice anyone can give is tremendously appreciated.

James Olsen

More information about the xmlsec mailing list