Skip to Content.
Sympa Menu

mace-opensaml-users - signed SAMLRequest in SOAPMessage

Subject: OpenSAML user discussion

List archive

signed SAMLRequest in SOAPMessage


Chronological Thread 
  • From:
  • To:
  • Subject: signed SAMLRequest in SOAPMessage
  • Date: Fri, 24 Apr 2009 11:27:16 -0400 (EDT)

Hi,

I am developing a webservice that accepts a SAMLRequest as input and returns
a SAMLResponse as output to deliver secureTokens (as SAMLAssertions).
The SAMLRequest in the input needs to be signed.
Generating the signature on clientside and verifying it on serverside is
easily done with the opensaml API.
The problem is when I use a JAX-RPC webserviceclient to send the request to
the webservice (the webservice needs to be callable from different clients).
When it puts the request into the SOAPBody, it uses another namespace-prefix
then the one that was set in the original requestdocument when it was signed.

when I printout the opensaml SAMLRequest before it is send, I have this
<Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...

the webserviceclient puts this in the body:
<samlp:Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...

which is also valid xml but the signature on the samlRequest is broken now
(samlRequest.verify() on serverside throws an exception).

Have you guys stumbled on this problem before ?
How to deal with namespace prefixes in signed samlRequests?
Is there anything I should do on clientside/serverside before
signing/verifying?
I think I can work around this by defining as input of my webmethod a simple
String in my wsdl instead of the saml request element of the saml protocol
schema but if possible, I want my interface to clearly define it only accepts
SAMLRequests.

Kind regards,

Frederik



Archive powered by MHonArc 2.6.16.

Top of Page