Problem verifying SAMLToken signature - Does the WSSAddSAMLToken.build or toSOAPMessage methods could potentially modify the SAML Assertion?

[em...@thecouch.ncsc.mil]

Hi all,

I'm currently using the WSS4J library to Add a SAMLToken to a SOAP Message.  The SAMLToken contains an enveloped signature for the Assertion.  This signature is created with the OpenSAML library.  Immediately after the Assertion is signed, I add it to the SOAP Message using the WSSAddSAMLToken.build(msg, Assertion) method.  Since this method returns a Document, I use your old routine (toSOAPMessage) to convert the Document back to a Message.  The problem is that the end-point appliance processing this message is having trouble verifying the SAMLToken signature.  The developers of the appliance are convinced that my code is somehow modifying the SAMLToken after it was signed.  The only two steps that I can think of that may do that are the WSSAddSAMLToken.build or the (toSOAPMessage) and that is why I'm contacting you to see if you can give me more insight regarding this issue. 

My main questions are the following.  Could it be possible that the WSSAddSAMLToken.build or toSOAPMessage methods modify the SAML Assertion, therefore invalidating the enveloped signature, when performing the addition/transformation?  How can I go around this problem? How can I add the enveloped signature to the SAML Assertion and add it to the SOAP message without invalidating the signature?

I would really appreciate your help.

Thanks!
Emely Martinez

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org