[xmlsec] Using schemas instead of DTD

Tom Burdick thomas.burdick at gmail.com
Tue May 19 07:53:31 PDT 2015


I figured out the problem, I had somehow typo'ed xmlns:samlp to samlp:xmlns
and needed the full --id-attr:ID urn:oasis.....:AuthnRequest bit

It works now, bah.

Tom

On Tue, May 19, 2015 at 9:41 AM, Tom Burdick <thomas.burdick at gmail.com>
wrote:

> In the xmlsec1 manpage in the --id-attr section it says "use a DTD or
> schema"
>
> How would I use a schema with xmlsec1? No other mention of schema is made
> in the man page.
>
> I'd like to use the saml schemas rather than a DTD as I've ran in to
> trouble with shibboleth and opensaml now with signed saml messages.
> Shibboleth appears to require a ds:Reference to have a URI attribute but
> dislikes having DTD's in the document.
>
> I've gotten this document to be signed by adding the FAQ suggested DTD,
> only to see opensaml spew out an error about DTD's have been disabled.
> Presumably because they are using the schemas.
>
> I've not been able to get this signed using the --id-attr:ID suggestion
> given in the FAQ.
>
> So my template looks like....
>
> <?xml version="1.0" encoding="UTF-8"?>
> <samlp:AuthnRequest samlp:xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="abc123"
>     Version="2.0" IssueInstant="2015-05-19T13:53:57Z"
>     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>     AssertionConsumerServiceURL="https://some.valid.url/saml_consume">
>     <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>         https://some.valid.url
>     </saml:Issuer>
>     <samlp:NameIDPolicy
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
>     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
>             <ds:SignatureMethod Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>             <ds:Reference URI="#abc123">
>                 <ds:Transforms>
>                     <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                     <ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
>                 </ds:Transforms>
>                 <ds:DigestMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#sha256"/>
>                 <ds:DigestValue/>
>             </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue/>
>     </ds:Signature>
> </samlp:AuthnRequest>
>
> Any help is much appreciated.
>
> Thanks!
>
> Tom
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20150519/494b72b5/attachment.html>


More information about the xmlsec mailing list