[xmlsec] Verifing signature of SAML XML artifacts that has an ID attribute in it, but I think I should ignore it

Aleksey Sanin aleksey at aleksey.com
Fri May 25 07:42:45 PDT 2007

Send me the document you are trying to sign/verify


James Olsen wrote:
> Hello Aleksey,
>>>  nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "Assertion", xmlSecDSigNs );
> AS> You need to pass *saml* namespace URI.
> As obvious as that may seem, I appreciate your answer because it
> wasn't obvious to me at the time (looking back at it now it amazes me
> that I didn't realize that on my own). I am now using the
> 'urn:oasis:names:tc:SAML:2.0:assertion' namespace and xmlSecFindNode
> found the node. Thank you!
> The node I used I passed to RegisterID was:
>  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
>   ID="id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-" IssueInstant="2007-04-24T20:07:36Z">
> and I used the attribute name "ID". I assume it is "ID" because that
> is the name/case of the attribute in the Assertion element.
> Here is the snippet of code:
>  nodeReference = xmlSecFindNode( xmlDocGetRootElement(doc), "Assertion", "urn:oasis:names:tc:SAML:2.0:assertion" );
>  if ( nodeReference == NULL ) {
>     fprintf(stderr, "Error: reference node not found in passed-in string n=%s ns=%s\n", "Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");
>     // eventually they won't be hard coded, but variables, which is
>     // why it's set up as a fprintf for now
>     goto done;
>   }
>   RegisterID( nodeReference, "ID" );
> Unfortunately it seems to be the wrong node (or I've implemented
> things incorrectly). The xmlSecFindNode returned the node, I passed
> that to RegisterID which returned a success response (at least on the
> first test run of the program, subsequent test runs return
> "id already registered" response from RegisterID) but I'm still
> getting this error:
> func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 library function failed:expr=xpointer(id('id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'))
> That's the same ID string that is identified in the 'dsig:Reference'
> element's URI attribute: '#id-MnmgTQoTKX1-uz1e4IP3cHP-bV0-'.
> I know this could easily be considered beyond xmlsec, and I am greatly
> appreciative of the assistance I've received so far. Please know that
> any advice anyone can give is tremendously appreciated.

More information about the xmlsec mailing list