[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working with PingFederate (Was: Re: zxid and shared/distributed filesystems?)



Sampo,
   Attached is a sample SAMLResponse that is triggering the canon issue.
 zxid XML canon parser is altering the "xmlns:xsi" attribute during parsing,
truncating and concatenating it with the xsi:type attribute.  It looks like
the digest would calculate correctly otherwise.

Let me know if I can provide further information.

Thanks,
Eric

On Mon, Aug 24, 2009 at 1:30 PM, <sampo@xxxxxxxxxxx> wrote:

> Eric Rybski wrote:
> > Hi Sampo,
> >    I've been digging more deeply into the XML digest issue, and it seems
> > there is one issue in the zxid side.  The "xsi:xsi:type" issue appears to
> > be
> > injected by zxid, as the original message has types correctly declared
> > like:
> >
> > <saml:AttributeStatement
> > xmlns:xs="http://www.w3.org/2001/XMLSchema";><saml:Attribute
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
> Name="Email
> > Address"><saml:AttributeValue *xsi:type="xs:string" xmlns:xsi="
> > http://www.w3.org/2001/XMLSchema-instance"*>demo@localhost
> > </saml:AttributeValue></saml:Attribute>
> > ...
> > </saml:AttributeStatement>
> >
> > The attribute declaration I noted in my last e-mail was extracted from
> the
> > zxid blob log line, not the original XML.  Further study revealed that
> the
> > original XML was correctly formed.
> >
> >    So, when manually correcting this issue in the XML, I now get the
> > expected base64 digest as declared in the original PingFederate
> > SAMLResponse. I compared the result using the following perl scripts to
> > validate the message:
> >
> > # calculate digest of canon blob reported in zxid log
> > perl -MDigest::SHA1 -MMIME::Base64 -e '$s=q{...};
> > $d=Digest::SHA1::sha1($s);
> > warn encode_base64($d);'
> >
> > # independently calculate digest (XML::CanonicalizeXML uses libxml2 to
> > calculate  the canonical representation)
> > perl -MXML::CanonicalizeXML -MDigest::SHA1 -MMIME::Base64 -e '$xpath =
> > q{<XPath>(//. | //@* | //namespace::*)</XPath>}; $xml=q{...};
> > $s=XML::CanonicalizeXML::canonicalize( $xml, $xpath, [], 1, 0 );
> > $d=Digest::SHA1::sha1($s); warn $s; warn encode_base64($d);'
> >
> >    From a cursory study, it appears the issue may be related to namespace
> > parsing in function TXDEC_ELNAME (dec-templ.c).  Perhaps you could
> provide
> > some insight here?  I could send a complete SAMLResponse if you wish to
> > use
> > it for debugging purposes.
>
> Please do. That would be very helpful.
>
> Cheers,
> --Sampo
>
> > Regards,
> > Eric
> >
> >
> > On Sun, Aug 23, 2009 at 9:23 PM, Eric Rybski <rybskej@xxxxxxxxx> wrote:
> >
> >> Sampo,
> >> The digest I independently calculated did match ZXID.  So there must be
> >> something different in the XML they are using to calculate the digest.
> >> I did see a few XML parsing errors in the zxid log, like:
> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
> >> tok(147) in wrong context(292)
> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
> >> tok(147) in wrong context(292)
> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
> >> tok(147) in wrong context(292)
> >> t    zxlib.c:836 zx_dec_unknown_attr zx d Known attribute(xsi:type)
> >> tok(147) in wrong context(292)
> >>
> >> These appeared to have been triggered by elements from the test LDAP
> >> server
> >> (serving the SAML IdP), which looked like the following:
> >> <saml:Attribute Name="Email Address"
> >>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue
> >> xsi:xsi:type="xs:string">demo@localhost
> >> </saml:AttributeValue></saml:Attribute>
> >>
> >> Note the odd (malformed?) attribute: xsi:xsi:type="xs:string"
> >>
> >> I tried using libxml2 to canonicalize the original XML, and got invalid
> >> attribute and namespace warnings on those attributes.  I've put in a
> >> support
> >> request to Ping for this.
> >>
> >> -Eric
> >>
> >> On Sun, Aug 23, 2009 at 9:00 AM, <sampo@xxxxxxxxxxx> wrote:
> >>
> >>> Eric Rybski wrote:
> >>> > Sampo,
> >>> >     1. Below is my current zxid.conf.  I did not change the default
> >>> value
> >>> > for WANT_SSO_A7N_SIGNED.
> >>> >
> >>> > URL=https://localhost/zxidhlo.pl
> >>> > NICE_NAME=Test 1
> >>> > NOSIG_FATAL=0
> >>> > NAMEID_ENC=0
> >>> > MD_FETCH=0
> >>> > MD_POPULATE_CACHE=0
> >>> >
> >>> > I dug deeply into PingFederate configuration for my SP endpoint, and
> >>> found
> >>> > a
> >>> > Signature Policy property "Always sign the SAML Assertion" which I
> >>> have
> >>> > now
> >>> > enabled.  Not sure why it wasn't already enabled when importing my
> >>> > metadata,
> >>> > but at least now I'm getting a signature.
> >>> >
> >>> > Unfortunately, it looks like I'm still not in the clear.  I'm now
> >>> getting
> >>> > a
> >>> > digest check error:
> >>> > t    zxsig.c:222 zxsig_validate   zx E Message
> >>> > digest(lYrwi9YBLpLU7ZVVyZ2+mIWLka0=) mismatch at
> >>> > sref(#sVce0k5jDJfLg4He6AoG9b.LXKz), canon blob(...)
> >>> > t  zxidsso.c:318 zxid_sigres_map   zx E Bad digest. Canon problem? 3
> >>> >
> >>> >    Is there a way I can review the zxid calculated digest, for
> >>> comparison?
> >>> >  It's not included in the log message.  I've contacted Ping on this
> >>> issue,
> >>>
> >>> The canon blob() has what went into message digest, e.g. sha1. If
> >>> you can get ping to print to the log what they put into the digest
> >>> when creating the signature, you can spot the difference.
> >>>
> >>> Once the difference in canonicalization is found, we can start
> >>> arguing about whose canonicalization is correct. Some of the
> >>> things that typically wreck havoc are convoluted use of XML
> >>> namespaces and namespace prefixes, failure to include namespaces
> >>> that are actually used (this is actually easy to check: paste
> >>> the canon blob to some xml validator and see if it is missing
> >>> namespaces), and superflous whitespace, line endings, etc.
> >>> I recommend simply omitting all whitespace you can as that increases
> >>> the probability of interoperation significantly.
> >>>
> >>> > as I've tried to independently calculate the digest of the canonical
> >>> XML
> >>> > in
> >>> > Perl, using the reported the blob(...) value, and I also don't match
> >>> the
> >>> > PingFederate SAML response digest.  (So I'm assuming this is a PF
> >>> issue
> >>> at
> >>> > the moment.)
> >>>
> >>> Did the digest match what ZXID calculated?
> >>>
> >>> XML canonicalization is one of the biggest sources of bugs in
> >>> various XML-DSIG implementations. Unfortunately this affects
> >>> SAML interoperability in quite big way.
> >>>
> >>> Cheers,
> >>> --Sampo
> >>>
> >>> > 2.  The SSOCircle IdP metadata is available at:
> >>> > http://idp.ssocircle.com/idp-meta.xml
> >>> >
> >>> > Regards,
> >>> > Eric
> >>> >
> >>> > On Sat, Aug 22, 2009 at 9:07 AM, <sampo@xxxxxxxxxxx> wrote:
> >>> >
> >>> >> Eric Rybski wrote:
> >>> >> >    I'm having an issue getting digital signature validation
> >>> >> > working with a PingFederate IdP instance.  The PF IdP metadata
> >>> (cached
> >>> >> in
> >>> >> > my
> >>> >> > cot/) includes a certificate, the POST SAMLResponse contains a
> >>> >> signature,
> >>> >> > and I have the IdP CA cert in my /var/zxid/pem/ca.pem. But I keep
> >>> >> getting
> >>> >> > errors like:
> >>> >> >
> >>> >> > t  zxidsso.c:559 zxid_sp_sso_finalize zx E SSO warn: assertion not
> >>> >> signed.
> >>> >> > Sigval((null)) (nil)
> >>> >>
> >>> >> Checked your attachments. The assertion really is not signed.
> >>> >>
> >>> >> The SAML spec is unambiguous: if in metadata
> >>> >> SPSSODescriptor/@WantAssertionsSigned is true, then
> >>> >> the IdP MUST sign the Assertion.
> >>> >>
> >>> >> I ship ZXID with WANT_SSO_A7N_SIGNED=1, so unless you have changed
> >>> >> this setting, it would appear that PingFederate is not honouring
> >>> >> this part of the metadata.
> >>> >>
> >>> >> Please check this.
> >>> >>
> >>> >> > I've currently worked around this by setting "NOSIG_FATAL=0" in
> >>> the
> >>> >> > zxid.conf, but this isn't a long-term solution.
> >>> >>
> >>> >> > Overall, other than the above mentioned issues, the library is
> >>> >> > working OK so far with a PingFederate IdP and perfectly with
> >>> >> > ssocircle.com.
> >>> >>
> >>> >> I once had a thread about shipping the ssocircle IdP metadata
> >>> >> with ZXID, but somehow it never happened. Can you share
> >>> >> the ssocircle metadata with me (or the list)?
> >>> >>
> >>> >> Cheers,
> >>> >> --Sampo
> >>> >>
> >>> >> > Thanks,
> >>> >> > Eric
# Original message (POST)
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIEluUmVzcG9uc2VUbz0iTmxnSnc4cUVzV2ctNHJVTUtUbktFZXpYNCIgSXNzdWVJbnN0YW50PSIyMDA5LTA4LTIzVDA2OjQ4OjA0LjI4MloiIElEPSJGakdxa1NNczdZWnNSSlFkc1d0MmdNLl9XVTgiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPlBGLURFTU88L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAwOS0wOC0yM1QwNjo0ODowNC4yODJaIiBJRD0icjlydi1JMnI3OFgxSW9uLUVhODE3dXJLWThwIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDpJc3N1ZXI%2BUEYtREVNTzwvc2FtbDpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BDQo8ZHM6U2lnbmVkSW5mbz4NCjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BDQo8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8%2BDQo8ZHM6UmVmZXJlbmNlIFVSST0iI3I5cnYtSTJyNzhYMUlvbi1FYTgxN3VyS1k4cCI%2BDQo8ZHM6VHJhbnNmb3Jtcz4NCjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KPC9kczpUcmFuc2Zvcm1zPg0KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BDQo8ZHM6RGlnZXN0VmFsdWU%2BMTRPVG1UeTZ5SWlKNGVsa0EzUW9WQnFOb0FJPTwvZHM6RGlnZXN0VmFsdWU%2BDQo8L2RzOlJlZmVyZW5jZT4NCjwvZHM6U2lnbmVkSW5mbz4NCjxkczpTaWduYXR1cmVWYWx1ZT4NCmRVNUZqQ08yMVJoTkNZZFlFclBOSGhIQ3V4Ukp1RWJwNkxXdTIyd0k3Z00zQnJ4cWN0UVJWVk85NzlyZ21VVnduV0o5Um5ycE1SUkENClRxcDV1b05xNlNIc2tudnBIaVBXS3FhYzFvVStPUzJqdmtzZTBzU2g5bzFscWYzZmZuUTlsSTgyS1U3SVo1Vllxb2RnYXVCb2djRnANCm9tU1JHYmxSVW5TNGRzVW1hU0E9DQo8L2RzOlNpZ25hdHVyZVZhbHVlPg0KPC9kczpTaWduYXR1cmU%2BPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI%2BdGF0Z2N6PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJObGdKdzhxRXNXZy00clVNS1RuS0Vlelg0IiBOb3RPbk9yQWZ0ZXI9IjIwMDktMDgtMjNUMDY6NTM6MDQuMjgyWiIgUmVjaXBpZW50PSJodHRwczovL2xvY2FsaG9zdC96eGlkaGxvLnBsP289UCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90T25PckFmdGVyPSIyMDA5LTA4LTIzVDA2OjUzOjA0LjI4MloiIE5vdEJlZm9yZT0iMjAwOS0wOC0yM1QwNjo0MzowNC4yODJaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vbG9jYWxob3N0L3p4aWRobG8ucGw%2Fbz1CPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAwOS0wOC0yM1QwNjo0ODowNC4yODJaIiBTZXNzaW9uSW5kZXg9InI5cnYtSTJyNzhYMUlvbi1FYTgxN3VyS1k4cCI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJFbWFpbCBBZGRyZXNzIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj51c2VyQGxvY2FsaG9zdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJNZW1iZXIgU3RhdHVzIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5Hb2xkPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9Ikxhc3QgTmFtZSI%2BPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI%2BVXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJGaXJzdCBOYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5Tb21lPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B

# Original message (SAMLResponse decoded)
<samlp:Response InResponseTo="NlgJw8qEsWg-4rUMKTnKEezX4" IssueInstant="2009-08-23T06:48:04.282Z" ID="FjGqkSMs7YZsRJQdsWt2gM._WU8" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">PF-DEMO</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion Version="2.0" IssueInstant="2009-08-23T06:48:04.282Z" ID="r9rv-I2r78X1Ion-Ea817urKY8p" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>PF-DEMO</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#r9rv-I2r78X1Ion-Ea817urKY8p">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>14OTmTy6yIiJ4elkA3QoVBqNoAI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
dU5FjCO21RhNCYdYErPNHhHCuxRJuEbp6LWu22wI7gM3BrxqctQRVVO979rgmUVwnWJ9RnrpMRRA
Tqp5uoNq6SHsknvpHiPWKqac1oU+OS2jvkse0sSh9o1lqf3ffnQ9lI82KU7IZ5VYqodgauBogcFp
omSRGblRUnS4dsUmaSA=
</ds:SignatureValue>
</ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tatgcz</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="NlgJw8qEsWg-4rUMKTnKEezX4" NotOnOrAfter="2009-08-23T06:53:04.282Z" Recipient="https://localhost/zxidhlo.pl?o=P"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotOnOrAfter="2009-08-23T06:53:04.282Z" NotBefore="2009-08-23T06:43:04.282Z"><saml:AudienceRestriction><saml:Audience>https://localhost/zxidhlo.pl?o=B</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-08-23T06:48:04.282Z" SessionIndex="r9rv-I2r78X1Ion-Ea817urKY8p"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema";><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email Address"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>user@localhost</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Member Status"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>Gold</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Last Name"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>User</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="First Name"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>Some</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

# Raw PF msg to canon, digest
perl -MXML::CanonicalizeXML -MDigest::SHA1 -MMIME::Base64 -e '$xpath = q{<XPath>(//. | //@* | //namespace::*)</XPath>}; $xml=q{<saml:Assertion Version="2.0" IssueInstant="2009-08-23T06:48:04.282Z" ID="r9rv-I2r78X1Ion-Ea817urKY8p" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>PF-DEMO</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tatgcz</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="NlgJw8qEsWg-4rUMKTnKEezX4" NotOnOrAfter="2009-08-23T06:53:04.282Z" Recipient="https://localhost/zxidhlo.pl?o=P"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotOnOrAfter="2009-08-23T06:53:04.282Z" NotBefore="2009-08-23T06:43:04.282Z"><saml:AudienceRestriction><saml:Audience>https://localhost/zxidhlo.pl?o=B</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-08-23T06:48:04.282Z" SessionIndex="r9rv-I2r78X1Ion-Ea817urKY8p"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema";><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email Address"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>user@localhost</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Member Status"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>Gold</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Last Name"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>User</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="First Name"><saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>Some</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>}; $s=XML::CanonicalizeXML::canonicalize( $xml, $xpath, [], 1, 0 ); warn $s; $d=Digest::SHA1::sha1($s); warn encode_base64($d); warn "14OTmTy6yIiJ4elkA3QoVBqNoAI="'

# canon blob to digest
perl -MDigest::SHA1 -MMIME::Base64 -e '$s=q{<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="r9rv-I2r78X1Ion-Ea817urKY8p" IssueInstant="2009-08-23T06:48:04.282Z" Version="2.0"><saml:Issuer>PF-DEMO</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tatgcz</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="NlgJw8qEsWg-4rUMKTnKEezX4" NotOnOrAfter="2009-08-23T06:53:04.282Z" Recipient="https://localhost/zxidhlo.pl?o=P";></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2009-08-23T06:43:04.282Z" NotOnOrAfter="2009-08-23T06:53:04.282Z"><saml:AudienceRestriction><saml:Audience>https://localhost/zxidhlo.pl?o=B</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-08-23T06:48:04.282Z" SessionIndex="r9rv-I2r78X1Ion-Ea817urKY8p"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="Email Address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">user@localhost</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Member Status" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">Gold</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Last Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">User</saml:AttributeValue></saml:Attribute><saml:Attribute Name="First Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">Some</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>}; $d=Digest::SHA1::sha1($s); warn encode_base64($d); warn "14OTmTy6yIiJ4elkA3QoVBqNoAI="'

# zxid blob result (with malformed xmlns:xsi attribute):
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="r9rv-I2r78X1Ion-Ea817urKY8p" IssueInstant="2009-08-23T06:48:04.282Z" Version="2.0"><saml:Issuer>PF-DEMO</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tatgcz</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="NlgJw8qEsWg-4rUMKTnKEezX4" NotOnOrAfter="2009-08-23T06:53:04.282Z" Recipient="https://localhost/zxidhlo.pl?o=P";></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2009-08-23T06:43:04.282Z" NotOnOrAfter="2009-08-23T06:53:04.282Z"><saml:AudienceRestriction><saml:Audience>https://localhost/zxidhlo.pl?o=B</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-08-23T06:48:04.282Z" SessionIndex="r9rv-I2r78X1Ion-Ea817urKY8p"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="Email Address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:xsi:type="xs:string">user@localhost</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Member Status" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:xsi:type="xs:string">Gold</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Last Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:xsi:type="xs:string">User</saml:AttributeValue></saml:Attribute><saml:Attribute Name="First Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:xsi:type="xs:string">Some</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>