0

My Application creates SAML Assertion SOAP header and create the SOAP request, it sends the request to Platform application before sending the request out to server. In platform, the SOAP request is deserialized for additional processing and then serialized. The problem arises because the SAML Assertion prefix namespace scope changed and failing SAML validation on server side.

Input to Platform application:

<SOAPEnvelope>
    <saml2:Assertion xmlns:saml2="urn::oasis:saml:2.0::assertion"/>
</SOAPEnvelope>

Expect output to be exactly the same as the input, but indeed it is the following:

<SOAPEnvelope xmlns:saml="urn::oasis:saml:2.0::assertion">
    <saml:Assertion />
</SOAPEnvelope>

This is caused by different xml serializers used in the different applications, My application uses the OpenSAML lib to create the SAML Assertion element, whereas the Platform used the Jaxb customized SOAP serializer.

I know there are ways to keep the xml prefix the same, but is there anyway that I could keep the saml namespace scope the same as well?

Jialun Liu
  • 331
  • 1
  • 4
  • 15
  • Those two XML snippets are semantically identical. You cannot in general compare XML that has traversed multiple systems as text, you need to use an XML-aware tool or transform both files into some canonical form. – Jim Garrison May 22 '18 at 02:43
  • Please read the [following answer](https://stackoverflow.com/questions/50298659/how-to-send-jaxb-xmlattribute-data-without-java-double-quotes/50300327#50300327) by @MichaelKay. Basically, you should not care. If you do, there's something seriously wrong with the way you process XML. It must not matter how namespaces are declared. – lexicore May 22 '18 at 06:16
  • @lexicore Yes, normally I should not care, but unfortunately, SAML Assertion is signed document, any slightest change would cause the validation to fail. Based on your answer, it seem like it is just not possible to achieve identical SOAP deserialization/serialization through multiple systems. That is fine as well, I will just have to find another way to generate the SAML Asserion. – Jialun Liu May 24 '18 at 06:25
  • @JialunLiu OK, I understand. It may be not impossible, but doing so you'll most probably rely on internals of tools. – lexicore May 24 '18 at 06:56

0 Answers0