Signed XML fragment portability - including namespaces

EDN Admin

Well-known member
Joined
Aug 7, 2010
Messages
12,794
Location
In the Machine
I want to include signed SAML assertions in SOAP headers for a communication design we are developing. In basic tests, I can sign XML fragments with a temporary key and successfully port the signed fragment (Enveloped) into another document
retaining the validity of the signed fragment. Things do not work consistently, however, when namespaces are included.
For example:
<Assertion ID="WHATEVER" Version="2.0 <!--Assertion without namespace--><br/>
</Assertion>
<Assertion ID="WHATEVER" Version="2.0 <!--Signature applied to assertion--><br/>
<dg:Signature>...<br/>
</dg:Signature><br/>
</Assertion>
<Header><!--Signed fragment manually included in a parent document--><br/>
<Assertion ID="WHATEVER" Version="2.0 <br/>
<dg:Signature>...<br/>
</dg:Signature><br/>
</Assertion><br/>
</Header>
*************Above is predictable and works well - Below does not work predictably *******************
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="WHATEVER" Version="2.0 <br/>
</saml:Assertion>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="WHATEVER" Version="2.0 <br/>
<dg:Signature>...<br/>
</dg:Signature><br/>
</saml:Assertion>
<soap:Header xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/ <br/>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="WHATEVER" Version="2.0 <br/>
<dg:Signature>...<br/>
</dg:Signature><br/>
</saml:Assertion><br/>
</soap:Header>
What are the rules for signature validity when namespaces are present for enveloped xml signed fragments? I have been unable to find documentation on this subject.


View the full article
 
Back
Top