saml and samlp namespaces

Nov 12, 2013 at 6:04 AM
Dear All,

Maybe it could be nice to add the 'saml' and 'samlp' namespace aliases in the serialization stage. The SAML generated will look better even if this doesn't change any functionnality.

To test I changed the SAML2.Utils.Serilization.Serialization() constructor to this and it works well:
   static Serialization()
    {
        XmlNamespaces = new XmlSerializerNamespaces();
        XmlNamespaces.Add(string.Empty, string.Empty);
        XmlNamespaces.Add("samlp", Saml20Constants.Protocol);
        XmlNamespaces.Add("saml", Saml20Constants.Assertion);
    }
Coordinator
Nov 15, 2013 at 1:51 AM
What's the upshot of this exactly? If you can explain the benefit, I'll be happy to roll it in.
Nov 15, 2013 at 6:29 AM
Edited Nov 15, 2013 at 7:30 AM
From a semantic and functionnal perspective it will not change anything -> the SAML requests and responses generated will be identical.

That's more a matter of convention in the SAML world. Without these, the XML generated looks like this:
  <q1:AuthnRequest Destination="https://adfs.company.com/adfs/ls/" ID="id55af3f4054764bc98117392b7df6dbcd"
                 IssueInstant="2013-11-15T07:08:07.7891918Z"
                 Version="2.0"
                 IsPassive="false"
                 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                 xmlns:q1="urn:oasis:names:tc:SAML:2.0:protocol"
                 >
        <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:58152/</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
                                      .......
        </Signature>
        <Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
                <AudienceRestriction>
                        <Audience>http://localhost:58152/</Audience>
                </AudienceRestriction>
        </Conditions>
  </q1:AuthnRequest>
You see that the qualifiers use is q1 for protocol namespace and assertion namespace is reapeated in each XML element of the assertion namespace.

Now if you change the constructor to
   static Serialization()
    {
        XmlNamespaces = new XmlSerializerNamespaces();
        XmlNamespaces.Add("samlp", Saml20Constants.Protocol);
        XmlNamespaces.Add("saml", Saml20Constants.Assertion);
    }
You get this:
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    Destination="https://adfs.company.com/adfs/ls/"
                    ID="id0bd6d6311c1d4c00a7507563688a959a"
                    IssueInstant="2013-11-15T07:10:35.1726217Z"
                    Version="2.0"
                    IsPassive="false"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
        <saml:Issuer>http://localhost:58152/</saml:Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                                     ...
        </Signature>
        <saml:Conditions>
                <saml:AudienceRestriction>
                        <saml:Audience>http://localhost:58152/</saml:Audience>
                </saml:AudienceRestriction>
        </saml:Conditions>
</samlp:AuthnRequest>
Which use the common prefixes for the SAML assertion and protocol namespace. If you look at the example on the wikipedia page you will see that this is commonly used : http://en.wikipedia.org/wiki/SAML_2.0
Coordinator
Nov 15, 2013 at 11:05 PM
Good enough. Ill roll it in.
Coordinator
Nov 20, 2013 at 12:47 AM
This has been rolled out in 2.4.2.