Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
535 views
in Technique[技术] by (71.8m points)

xsd - unable to validate SAML 2.0 assertion against schema

I am working with Spring SAML and I have problem consuming SAML assertion (sample assertion from Wikipedia article

<saml:Assertion
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
    Version="2.0"
   IssueInstant="2004-12-05T09:22:05">
   <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
   <ds:Signature
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
   <saml:Subject>
     <saml:NameID
       Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
       3f7b3dcf-1674-4ecd-92c8-1544f346baf8
     </saml:NameID>
     <saml:SubjectConfirmation
       Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
       <saml:SubjectConfirmationData
         InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
         Recipient="https://sp.example.com/SAML2/SSO/POST"
         NotOnOrAfter="2004-12-05T09:27:05"/>
     </saml:SubjectConfirmation>
   </saml:Subject>
   <saml:Conditions
     NotBefore="2004-12-05T09:17:05"
     NotOnOrAfter="2004-12-05T09:27:05">
     <saml:AudienceRestriction>
       <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
     </saml:AudienceRestriction>
   </saml:Conditions>
   <saml:AuthnStatement
     AuthnInstant="2004-12-05T09:22:00"
     SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
     <saml:AuthnContext>
       <saml:AuthnContextClassRef>
         urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
      </saml:AuthnContextClassRef>
     </saml:AuthnContext>
   </saml:AuthnStatement>
   <saml:AttributeStatement>
     <saml:Attribute
       xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
       x500:Encoding="LDAP"
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
       FriendlyName="eduPersonAffiliation">
       <saml:AttributeValue
         xsi:type="xs:string">member</saml:AttributeValue>
       <saml:AttributeValue
         xsi:type="xs:string">staff</saml:AttributeValue>
     </saml:Attribute>
   </saml:AttributeStatement>
 </saml:Assertion>    

I am getting errors from XML validation. The errors come even when I perform schema validation from IDE (Intelij IDEA tools->XML Actions->Validate)

It looks like xml schema in xenc-schema.xsd is not valid (should have inlcude rather than import). This code comes from xmltooling-1.4.4.jar library (latest version).

Is this bug in Spring SAML or xmltooling schema files, or am I doing something wrong?

My business case is identity-provider-initiated SSO. As described in https://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding, point 5. Request the Assertion Consumer Service at the SP I am consuming SAML assertion in POST request (body contains SAMLResponse=

Bellow all errors

  • <...>xmltooling-1.4.4.jar!schemaxmldsig-core-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute, 'http://www.w3.org/2000/09/xmldsig#', of an element information item must be identical to the targetNamespace attribute, 'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.

  • <...>xmltooling-1.4.4.jar!schemaxenc-schema.xsd Error:(2, 360) src-import.3.1: The namespace attribute, 'http://www.w3.org/2001/04/xmlenc#', of an element information item must be identical to the targetNamespace attribute, 'urn:oasis:names:tc:SAML:2.0:assertion', of the imported document.

  • <...>opensaml-2.6.4.jar!schemasaml-schema-assertion-2.0.xsd Error:(34, 48) src-resolve: Cannot resolve the name 'xenc:EncryptedData' to a(n) 'element declaration' component. Error:(46, 56) src-resolve: Cannot resolve the name 'ds:Signature' to a(n) 'element declaration' component.

  • <...>wikipediaExample.xml Error:(11, 59) cvc-complex-type.2.4.a: Invalid content was found starting with element 'ds:Signature'. One of '{"urn:oasis:names:tc:SAML:2.0:assertion":Subject, "urn:oasis:names:tc:SAML:2.0:assertion":Conditions, "urn:oasis:names:tc:SAML:2.0:assertion":Advice, "urn:oasis:names:tc:SAML:2.0:assertion":Statement, "urn:oasis:names:tc:SAML:2.0:assertion":AuthnStatement, "urn:oasis:names:tc:SAML:2.0:assertion":AuthzDecisionStatement, "urn:oasis:names:tc:SAML:2.0:assertion":AttributeStatement}' is expected. Error:(11, 77) cvc-complex-type.2.3: Element 'ds:Signature' cannot have character [children], because the type's content type is element-only. Error:(11, 77) cvc-complex-type.2.4.b: The content of element 'ds:Signature' is not complete. One of '{"http://www.w3.org/2000/09/xmldsig#":SignedInfo}' is expected.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

As you can see in your XML, the Signature content is ommited with triple dots:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>

The XML validation is correctly telling you about this problem.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...