I am using SAMLMessageSignature.Verify to verify if SAML Request against the Public certificate we have but it is failing when the SAML Response is generated by Liferay.
But SAML Response generated by using SAML2.0 is working. When I check the Response XML they look identical.
I enabled tracing this is what was there in the trace.
Reference Reference#00cbb6a7 hashed with “<a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1" (SHA1CryptoServiceProvider) has hash value a8b9c395dfe6407e3933660d1ff533677e5b11a3, expected hash value 1e4ea9cddb58c9263282e05f77ce3f1e64cf708b.
How is the hash value generated?
I suspected that Liferay may be introducing some whitespace/manipulating the XML after signing, but Liferay developers are confident that after signing they are not changing the XML.
The differing hash values indicate the XML has been modified after signing.
We use the .NET framework’s SignedXml class for signature verification which includes hash generation.
Please enable SAML trace and send the generated log file to support@componentspace.com mentioning this forum post.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace