Hello,
I've been working on this for days now and I'm hoping someone will be able to help. I am working on a project that uses SAML. We generate an Assertion (XML) that we then sign and store into a database as a String, example below:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" IssueInstant="2010-04-26T15:03:55.390Z" Version="2.0">
<saml:Issuer>http://myissuer</saml:Issuer>
<saml:Subject>
<saml:NameID NameQualifier="http://myapp" SPNameQualifier="savings">test ID</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="test inResponseTo" NotOnOrAfter="2010-04-26T15:13:55.390Z" Recipient="http://my_receiving_app"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2010-04-26T14:53:55.390Z" NotOnOrAfter="2010-04-26T15:13:55.390Z">
<saml:AudienceRestriction>
<saml:Audience>myaudience</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2010-04-26T15:03:55.390Z" SessionIndex="12345">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
Then, we pull that out of the database into a custom object that holds the string.The first thing we want to do with this object is to unmarshal it from a string to our object type. We do this using the following code:
final InputStream xmlStream = new StringBufferInputStream(xml);
QName q = new QName(SAMLConstants.SAML20_NS, "Assertion","saml");
final JAXBElement< AssertionType >
jaxbElement = (JAXBElement< AssertionType >) unmarshaller.unmarshal(xmlStream);
final AssertionType assertionType = jaxbElement.getValue();
This unmarshaller works right and umarshals the text into the appropriate AssertionType object, but what happens is that it autogenerates all the XML namespaces and uses auto-generated prefixes. So the output looks like the following:
<ns1:Assertion xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns6="http://my_namespace/">
<ns1:Issuer>http://myissuer
</ns1:Issuer>
<ns1:Subject>
<ns1:NameID SPNameQualifier="savings" NameQualifier="http://myapp">test ID</ns1:NameID>
<ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns1:SubjectConfirmationData InResponseTo="test inResponseTo" Recipient="http://my_receiving_app" NotOnOrAfter="2010-04-26T15:13:55.390Z"></ns1:SubjectConfirmationData>
</ns1:SubjectConfirmation>
</ns1:Subject>
<ns1:Conditions NotOnOrAfter="2010-04-26T15:13:55.390Z" NotBefore="2010-04-26T14:53:55.390Z">
<ns1:AudienceRestriction>
<ns1:Audience>myaudience</ns1:Audience>
</ns1:AudienceRestriction>
</ns1:Conditions>
<ns1:AuthnStatement SessionIndex="1234" AuthnInstant="2010-04-26T15:03:55.390Z">
<ns1:AuthnContext>
<ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ns1:AuthnContextClassRef>
</ns1:AuthnContext>
</ns1:AuthnStatement>
</ns1:Assertion>
This would normally not be an issue as this is valid XML; however, given that this Assertion is signed on one end, on the other end, we are trying to verify it. Given that verification of a signature requires the XML to not be changed at all, this fails as the XML is completely changed due to all those namespaces.
I am looking for a way to have the unmarshalling take place but to use the same namespaces and prefixes as the original did so that the outcome of unmarshalling is exactly the same as the original.
Another note, the AssertionType.java (along with many others) is auto generated from a WSDL that imports the saml-assertion and saml-protocol XSDs.
Any thoughts on this would be much appreciated!
Nabeel