mace-opensaml-users - signed SAMLRequest in SOAPMessage
Subject: OpenSAML user discussion
List archive
- From:
- To:
- Subject: signed SAMLRequest in SOAPMessage
- Date: Fri, 24 Apr 2009 11:27:16 -0400 (EDT)
Hi,
I am developing a webservice that accepts a SAMLRequest as input and returns
a SAMLResponse as output to deliver secureTokens (as SAMLAssertions).
The SAMLRequest in the input needs to be signed.
Generating the signature on clientside and verifying it on serverside is
easily done with the opensaml API.
The problem is when I use a JAX-RPC webserviceclient to send the request to
the webservice (the webservice needs to be callable from different clients).
When it puts the request into the SOAPBody, it uses another namespace-prefix
then the one that was set in the original requestdocument when it was signed.
when I printout the opensaml SAMLRequest before it is send, I have this
<Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...
the webserviceclient puts this in the body:
<samlp:Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ...
which is also valid xml but the signature on the samlRequest is broken now
(samlRequest.verify() on serverside throws an exception).
Have you guys stumbled on this problem before ?
How to deal with namespace prefixes in signed samlRequests?
Is there anything I should do on clientside/serverside before
signing/verifying?
I think I can work around this by defining as input of my webmethod a simple
String in my wsdl instead of the saml request element of the saml protocol
schema but if possible, I want my interface to clearly define it only accepts
SAMLRequests.
Kind regards,
Frederik
- signed SAMLRequest in SOAPMessage, frederik . libert, 04/24/2009
- Re: [OpenSAML] signed SAMLRequest in SOAPMessage, Chad La Joie, 04/24/2009
- Re: [OpenSAML] signed SAMLRequest in SOAPMessage, Xavier Drudis Ferran, 04/24/2009
- RE: [OpenSAML] signed SAMLRequest in SOAPMessage, Scott Cantor, 04/24/2009
Archive powered by MHonArc 2.6.16.