SAML getting Signature Reference URI did not resolve to the expected parent Element

Question

In Spring SAML I am getting success response from IDP, but while validating the SAML response I am getting the exception Signature Reference URI '#JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ' did not resolve to the expected parent Element. I am not getting what is the issue in the response is it because of the response or in spring SAML whether I need to do any configuration. Please find the below exception and the SAML response.

   2021-07-13 20:38:22,661 DEBUG [BaseSAMLSimpleSignatureSecurityPolicyRule] HTTP request was not signed via simple signature mechanism, skipping
    2021-07-13 20:38:22,661 ERROR [SAMLSignatureProfileValidator] Signature Reference URI '#JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ' did not resolve to the expected parent Element
    2021-07-13 20:38:22,663 DEBUG [SAMLProtocolMessageXMLSignatureSecurityPolicyRule] Protocol message signature failed signature pre-validation
    org.opensaml.xml.validation.ValidationException: Signature Reference URI did not resolve to the expected parent Element
            at org.opensaml.security.SAMLSignatureProfileValidator.validateReferenceURI(SAMLSignatureProfileValidator.java:159)
            at org.opensaml.security.SAMLSignatureProfileValidator.validateSignatureImpl(SAMLSignatureProfileValidator.java:84)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:56)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:42)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.performPreValidation(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:164)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:105)
            at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
            at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
            at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
            at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
            at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
            at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
            at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
            at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:748)
    2021-07-13 20:38:22,670 DEBUG [SAMLProcessingFilter] Incoming SAML message is invalid
    org.opensaml.ws.security.SecurityPolicyException: Protocol message signature failed signature pre-validation
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.performPreValidation(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:167)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:105)
            at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
            at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
            at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
            at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
            at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
            at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
            at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
            at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
            at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
            at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:748)
    Caused by: org.opensaml.xml.validation.ValidationException: Signature Reference URI did not resolve to the expected parent Element
            at org.opensaml.security.SAMLSignatureProfileValidator.validateReferenceURI(SAMLSignatureProfileValidator.java:159)
            at org.opensaml.security.SAMLSignatureProfileValidator.validateSignatureImpl(SAMLSignatureProfileValidator.java:84)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:56)
            at org.opensaml.security.SAMLSignatureProfileValidator.validate(SAMLSignatureProfileValidator.java:42)
            at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.performPreValidation(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:164)
            ... 49 more

SAML Response recieved is:

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://10.11.4.96:8071/testapp/saml/SSO" ID="JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ" InResponseTo="testapp" IssueInstant="2021-07-13T15:08:21.831Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
         <ds:Reference URI="#JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>zTgjwhpc8z+68RkAkrX0CS0kQXA=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>JeiDJJRN0P+FnHOPqmpVjX50+/GwAJcTsqXQ3KTmveOpiW7RZKVpuGFTeO/bPredy/6imXBCM8vHtiVEnsre5C3qkS1QawGq7Da2SIEtn6pFxe8nDvl/F1mecEu/JtyPf+lwIAgp0r74fA+12MrTS/v7sUBA473gCtVdCQUFxXcpSRTCXdKWwZrPDyht/8RHkfWiKmq6Xr+VzxgjPP/X/sXl0AKnaCBQafOYyrbeTltCseUtvPP2rDkgTp7Shiw/mWLoynAJhQ0TmJBPsx+gDkyB5xPLB4ozyjuRfElhe3yWr1rGX0VkN/O5VgL1BB5Y8ECpFHiVPotlsb72/7nQlg==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIF8DCCBNqgAwIBAgIEAPhxijALBgkqhkiG9w0BAQswgY4xCzAJBgNVBAYTAklOMSowKAYDVQQKEyFlTXVkaHJhIENvbnN1bWVyIFNlcnZpY2VzIExpbWl0ZWQxHTAbBgNVBAsTFENlcnRpZnlpbmcgQXV0aG9yaXR5MTQwMgYDVQQDEytlLU11ZGhyYSBTdWIgQ0EgZm9yIENsYXNzIDEgSW5kaXZpZHVhbCAyMDE0MB4XDTE5MDEzMTA5MTQzNFoXDTIyMDEzMDA5MTQzNFowgdgxCzAJBgNVBAYTAklOMRgwFgYDVQQKEw9lTXVkaHJhIExpbWl0ZWQxHTAbBgNVBAsTFENlcnRpZnlpbmcgQXV0aG9yaXR5MQ8wDQYDVQQREwY1NjAxMDMxEjAQBgNVBAgTCUthcm5hdGFrYTFJMEcGA1UEBRNAODFkN2NjNjlkNTdhOGU4ZWNmZjg3MDRmMTNhMWE0NjUwMjYwZjNlYzRhYTI1ZDAzNTU2ZTQ3M2I0ZTAzMzMzZDEgMB4GA1UEAhdfhgsafdhfsahfdhsgfhdsatBgZggmRkAgEwIzAhBggrBgEFBQcCAjAVGhNDbGFzcyAxIENlcnRpZmljYXRlMFAGB2CCZGQBCAIwRTBDBggrBgEFBQcCARY3aHR0cDovL3d3dy5lLW11ZGhyYS5jb20vcmVwb3NpdG9yeS9jcHMvZS1NdWRocmFfQ1BTLnBkZjB6BggrBgEFBQcBAQRuMGwwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmUtbXVkaHJhLmNvbTBEBggrBgEFBQcwAoY4aHR0cDovL3d3dy5lLW11ZGhyYS5jb20vcmVwb3NpdG9yeS9jYWNlcnRzL0MxU0NBMjAxNC5jcnQwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL3d3dy5lLW11ZGhyYS5jb20vcmVwb3NpdG9yeS9jcmxzL0MxU0NBMjAxNC5jcmwwCwYJKoZIhvcNAQELA4IBAQAnIl1Un14pCfR0xv0iimPl1CFS8WocyDsp7Kbkofq5nTDgnYHyY+s+cjIIp5V0Yo1IEMK3abtl5HryjczRZ6yNtdcJsRmFz2s4wpA4PrjhOw8h8d8MRVc3AfmKGLRi0Y37RtGCieAcDSsZFrDn0SGphzkKmE4otbJhXwdioSiNWFh84bykzUtrr8YFGN+idjrFf5OiMeSCoN31ThAr3X70A1mc5x2c3k91WJQKuIQswwz+LtLKq2kLLQ4syRI0jlqcz+P+qfJWn7py7jU09txey2AuSndBNVWNhD+dNoRvKXnj6YW1uTBvVDFI5nnsoRqroLqaxbx4Ek4umXxwmK3D</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      <saml2p:StatusMessage>accessGranted</saml2p:StatusMessage>
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ" IssueInstant="2021-07-13T15:08:21.831Z" Version="2.0">
      <saml2:Issuer>IDP01</saml2:Issuer>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">admin</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="testapp" NotOnOrAfter="2021-07-13T15:23:21.831Z" Recipient="testapp"/>
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotOnOrAfter="2021-07-13T15:23:21.831Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>testapp</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2021-07-13T15:08:21.831Z" SessionIndex="JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ" SessionNotOnOrAfter="2021-07-13T15:23:21.831Z">
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef/>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
      <saml2:AttributeStatement>
         <saml2:Attribute Name="app_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">testapp</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin.m@test.com</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="access_mode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">write</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml2:AttributeValue>
         </saml2:Attribute>
      </saml2:AttributeStatement>
   </saml2:Assertion>
</saml2p:Response>  

Answer 1

You are getting exception in validation of Reference URI of xml signature. The rule for validation is that if reference uri is not null ( which in your case is not null- #JJl4B32SXAqLfdR2R0mkYN-yLimsrLWVGHmHIvEcpuQ then it has to be a reference to local document fragment and point to the SAMLObject parent via the latter's ID attribute value

If you can have a debugger attached then you can see why it is failing in below method of class SAMLSignatureProfileValidator. Your app is failing at the last code block of this method.

When I test my local setup with SSO Circle as SAML IdP - it passes the validation successfully ( see debugger screenshot). Both the object references are same ( id=531)

protected void validateReferenceURI(String uri, SignableSAMLObject signableObject) throws ValidationException {
        String id = signableObject.getSignatureReferenceID();
        validateReferenceURI(uri, id);
        
        if (DatatypeHelper.isEmpty(uri)) {
            return;
        }
        
        String uriID = uri.substring(1);
        
        Element expected = signableObject.getDOM();
        if (expected == null) {
            log.error("SignableSAMLObject does not have a cached DOM Element.");
            throw new ValidationException("SignableSAMLObject does not have a cached DOM Element.");
        }
        Document doc = expected.getOwnerDocument();
        
        Element resolved = IdResolver.getElementById(doc, uriID);
        if (resolved == null) {
            log.error("Apache xmlsec IdResolver could not resolve the Element for id reference: {}", uriID);
            throw new ValidationException("Apache xmlsec IdResolver could not resolve the Element for id reference: "
                    +  uriID);
        }
        
        if (!expected.isSameNode(resolved)) {
            log.error("Signature Reference URI '{}' did not resolve to the expected parent Element", uri);
            throw new ValidationException("Signature Reference URI did not resolve to the expected parent Element");
        }
    }

Answer 2

in opensaml santuario is used to search the current Document for an Element matching the requested Id in certain "known" namespaces (e.g. SOAP Message Security) so from Apache XML Security for Java 1.5.0 you actually need to point to Node which you want to parse something like this -- NodeName.removeAttributeNS(null, "ID"). After pointing to the node reference error will not occur.

Answer 3

In SAML response as the id was same everywhere this was the cause for the exception. SO, after changing SAML response id, assertion id, session index to different values exception got resolved, may be because of which SAML response parsing was not getting conflict.