0
votes

There are SAML authentication requests coming from two different systems. One is successfull, the other keeps failing.

I noted that the failing one has missing xmlns:ds="http://www.w3.org/2000/09/xmldsig#" in 13 out of 14 tags:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Reference URI="#_8dea83ff20a914b6aefd05b2ae61a4556e3e" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

The failing request has this parameter only in the ds:Signature tag.

  1. I would like to know whether not having this parameter would make the request invalid.
  2. Is this parameter required in SAML 2.0 (xmlns="urn:oasis:names:tc:SAML:2.0:protocol")?
1
You better need to include xmlns:ds="w3.org/2000/09/xmldsig#" in your root element.Deepak Verma

1 Answers

1
votes
  1. The namespace declaration is sufficient on the top-level element as it is inherited by sub-elements. It is still valid to declare it on each element but it's unnecessary.
  2. It's not a requirement of SAML 2.0 per se, but a requirement for valid XML. As the SAML 2.0 schema relies on the sml-dsig schema, it's mandatory to declare the namespace on the signature tag or one of the top-level element.

Do you have a specific error message when validating the assertion ?