I am working with Spring SAML and I have problem consuming SAML assertion (sample assertion from Wikipedia article
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00"
SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
FriendlyName="eduPersonAffiliation">
<saml:AttributeValue
xsi:type="xs:string">member</saml:AttributeValue>
<saml:AttributeValue
xsi:type="xs:string">staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
I am getting errors from XML validation. The errors come even when I perform schema validation from IDE (Intelij IDEA tools->XML Actions->Validate)
It looks like xml schema in xenc-schema.xsd is not valid (should have inlcude rather than import). This code comes from xmltooling-1.4.4.jar library (latest version).
Is this bug in Spring SAML or xmltooling schema files, or am I doing something wrong?
My business case is identity-provider-initiated SSO.
As described in https://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding, point
5. Request the Assertion Consumer Service at the SP
I am consuming SAML assertion in POST request (body contains SAMLResponse=
Bellow all errors
<...>xmltooling-1.4.4.jar!schemaxmldsig-core-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute,
'http://www.w3.org/2000/09/xmldsig#', of an element
information item must be identical to the targetNamespace attribute,
'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.
<...>xmltooling-1.4.4.jar!schemaxenc-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute,
'http://www.w3.org/2001/04/xmlenc#', of an element
information item must be identical to the targetNamespace attribute,
'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.
<...>opensaml-2.6.4.jar!schemasaml-schema-assertion-2.0.xsd Error:(34, 48) src-resolve: Cannot resolve the name
'xenc:EncryptedData' to a(n) 'element declaration' component.
Error:(46, 56) src-resolve: Cannot resolve the name 'ds:Signature' to
a(n) 'element declaration' component.
<...>wikipediaExample.xml Error:(11, 59) cvc-complex-type.2.4.a: Invalid content was found starting with element 'ds:Signature'. One of
'{"urn:oasis:names:tc:SAML:2.0:assertion":Subject,
"urn:oasis:names:tc:SAML:2.0:assertion":Conditions,
"urn:oasis:names:tc:SAML:2.0:assertion":Advice,
"urn:oasis:names:tc:SAML:2.0:assertion":Statement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthnStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthzDecisionStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AttributeStatement}' is
expected. Error:(11, 77) cvc-complex-type.2.3: Element 'ds:Signature'
cannot have character [children], because the type's content type is
element-only. Error:(11, 77) cvc-complex-type.2.4.b: The content of
element 'ds:Signature' is not complete. One of
'{"http://www.w3.org/2000/09/xmldsig#":SignedInfo}' is expected.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…