How to validate signature successfully when there are two id attributes in an assertion node?

Question

I have below SAML v2 XML. The signature validation fails as there are two ID attributes in the assertion node. The ID is having wrong value and the value pointed by referenceURI is in Id attribute. Sample below.

<?xml version="1.0"?>
<samlp:Response ID="gbfgoeahcoefemndehmcoeepmpdckdingbafamcb" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="fmcpoegiimapenheggdpjojncbljphgcnoalogap" Id="pfx1af01d88-2006-0901-3fa4-c54a400fad3c" IssueInstant="2017-08-23T04:44:36Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>example.com</Issuer>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">foo@example.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2017-08-23T04:54:36Z" Recipient="https://www.example.com/saml/endpoint"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2017-08-23T04:39:36Z" NotOnOrAfter="2017-08-23T04:54:36Z">
            <AudienceRestriction>
                <Audience>https://www.example.com</Audience>
            </AudienceRestriction>
        </Conditions>
        <AuthnStatement AuthnInstant="2017-08-23T04:44:36Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
                <AuthenticatingAuthority>foobarbaz</AuthenticatingAuthority>
            </AuthnContext>
        </AuthnStatement>
        <AttributeStatement>
            <Attribute Name="random">
                <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">foo@example.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#pfx1af01d88-2006-0901-3fa4-c54a400fad3c">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>P4pZAc2fLYvaf92FrVGdgYKcBww=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>tdzLY9Gem64Va9urGwqwvP3G6TjEtEy6Ely+8/D7RQuAFAiy6jcX4bsUwh7zhzoV+Thg8hhjzXBpqSSmDnBhsl6GSMAnAvAelF/eDlQk0+/wH+USYBTD8gvzvxZiB5GU8EgF7F5lLzzof+YrAQ0Zg/TSewdkiNJFLvXSI1Kw5E7lmlTgFv75Myn7kdgFs115JjrIfLcuMePlw20I51CHQK/Fy4S+nqQsJEzT8nYZ0AM6iTUo8zOduLN7DpHn0yK2HNnKXFzCT6o9CGxtcOe+xxo4rL71YFiiGTxh/tk0qWELOeEk3MM4DPyO1qIJ3UNxqX22VGLVmSwTsa/9DKKhcA==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIID9DCCAtwCCQCOW98TM3+UkTANBgkqhkiG9w0BAQUFADCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwHhcNMTEwNzA1MDUwMzQzWhcNMjUwMzEzMDUwMzQzWjCBuzELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREwDwYDVQQHDAhZb2tvaGFtYTEeMBwGA1UECgwVRlVKSVNPRlQgSU5DT1JQT1JBVEVEMSYwJAYDVQQLDB1JbmZvcm1hdGlvbiBTeXN0ZW0gRGVwYXJ0bWVudDEcMBoGA1UEAwwTZHNpZy5hdXRoLmZzaS5jby5qcDEgMB4GCSqGSIb3DQEJARYRbmV0d29ya0Bmc2kuY28uanAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxnlGqyqFwM0KJ5q8boYVXFcUvFSNytBn/ek8hydCXVkKBp9XYccJMJ9Ntz7uplQO7bmD80q72Sdz8rPiVwgrncq03rgV4M9viyDZYkeqT20ZefKoOJ+a9k6/79vQQ7Zy7FUzsJiysrD6slseeBup4Jc1M0TYpxaQ6aoEOVq8MFz0NFMWGLADKfQwlQHZQEJO0jIzvXsm5q0aDL26TJ2q9DOsqktNYH5zjn0jx/+EHF7Qv+1G3L6Vwf91KRgf/K3xnimyx7/8mpnIbMfYEY5bC1Er4rWNyILOIn4Sim0ooKHPa4SIU9hQGlg6wGemzcJ6OME3qDCGvuxaN77PwuTMpAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAK5DMpCmlWgH2yHG+JtgHkZkn65tKuvgkijkUktdSZXdnEfJ7bYwwrLF/cSL3n317ZwRqsUux5ems7Ryzr2zoRnnexxpEMvjbVTC27nWTs+Z25DFVyDZt3+sc4pxGnq25rAjpu+U5GegM/stZPeM2bCp/hZODLinK8r0d7e5YszPbsAxJkEts6O3C30ivWTixpEa36exJTbTPTYkZ3/6sHvJECmUKd0es0yLB4yPylLbrq8Pky2YlcmvqfTU1uDGVzLq4f20j7iEPROMEf9kpcT+usW/gvjy9/lB9aa6uAlFwPXq0KViJzSixHEly8edKZ5zk3j7rqs6n5me4XUdjEM=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
    </Assertion>
</samlp:Response>

As we can see there are two IDs. I am using OpenSAML v3 and it gives cryptographic signature validation failure. I tried various methods like setting (.setID assertion "pfx1af01d88-2006-0901-3fa4-c54a400fad3c") before signature validation, but it fails.

My main code is in Clojure. I am prototyping in Groovy as well. See the groovy script.

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
db = dbf.newDocumentBuilder();
ByteArrayInputStream bis = new ByteArrayInputStream(xml.getBytes());
doc = db.parse(bis);
nl = doc.getElementsByTagName("ds:Signature");

DOMValidateContext ctx = new DOMValidateContext(key, nl.item(0));
println nl.item(0).getParentNode().toString()
ctx.setIdAttributeNS((Element) nl.item(0).getParentNode(), null, "Id");

XMLSignatureFactory sigF = XMLSignatureFactory.getInstance("DOM");
XMLSignature xmlSignature = sigF.unmarshalXMLSignature(ctx);

println xmlSignature.validate(ctx)  // returns false

This validation succeeds when using C#, but it is not working in Java. Please help.

Answer 1

I did manual XML-DSIG verification.