<div dir="ltr">I figured out the problem, I had somehow typo'ed xmlns:samlp to samlp:xmlns and needed the full --id-attr:ID urn:oasis.....:AuthnRequest bit<div><br></div><div>It works now, bah.</div><div><br></div><div>Tom</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 19, 2015 at 9:41 AM, Tom Burdick <span dir="ltr"><<a href="mailto:thomas.burdick@gmail.com" target="_blank">thomas.burdick@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>In the xmlsec1 manpage in the --id-attr section it says "use a DTD or schema" </div><div><br></div><div>How would I use a schema with xmlsec1? No other mention of schema is made in the man page.</div><div><br></div><div>I'd like to use the saml schemas rather than a DTD as I've ran in to trouble with shibboleth and opensaml now with signed saml messages. Shibboleth appears to require a ds:Reference to have a URI attribute but dislikes having DTD's in the document.</div><div><br></div><div>I've gotten this document to be signed by adding the FAQ suggested DTD, only to see opensaml spew out an error about DTD's have been disabled. Presumably because they are using the schemas.</div><div><br></div><div>I've not been able to get this signed using the --id-attr:ID suggestion given in the FAQ.</div><div><br></div><div>So my template looks like....</div><div><br></div><div><div><?xml version="1.0" encoding="UTF-8"?></div><div><samlp:AuthnRequest samlp:xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="abc123"</div><div> Version="2.0" IssueInstant="2015-05-19T13:53:57Z"</div><div> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"</div><div> AssertionConsumerServiceURL="<a href="https://some.valid.url/saml_consume" target="_blank">https://some.valid.url/saml_consume</a>"></div><div> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"</div><div> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"></div><div> <a href="https://some.valid.url" target="_blank">https://some.valid.url</a></div><div> </saml:Issuer></div><div> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></div><div> <ds:Signature xmlns:ds="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/2000/09/xmldsig#</a>"></div><div> <ds:SignedInfo></div><div> <ds:CanonicalizationMethod Algorithm="<a href="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" target="_blank">http://www.w3.org/2001/10/xml-exc-c14n#WithComments</a>"/></div><div> <ds:SignatureMethod Algorithm="<a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" target="_blank">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</a>"/></div><div> <ds:Reference URI="#abc123"></div><div> <ds:Transforms></div><div> <ds:Transform Algorithm="<a href="http://www.w3.org/2000/09/xmldsig#enveloped-signature" target="_blank">http://www.w3.org/2000/09/xmldsig#enveloped-signature</a>"/></div><div> <ds:Transform Algorithm="<a href="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" target="_blank">http://www.w3.org/2001/10/xml-exc-c14n#WithComments</a>"/></div><div> </ds:Transforms></div><div> <ds:DigestMethod Algorithm="<a href="http://www.w3.org/2001/04/xmlenc#sha256" target="_blank">http://www.w3.org/2001/04/xmlenc#sha256</a>"/></div><div> <ds:DigestValue/></div><div> </ds:Reference></div><div> </ds:SignedInfo></div><div> <ds:SignatureValue/></div><div> </ds:Signature></div><div></samlp:AuthnRequest></div></div><div><br></div><div>Any help is much appreciated.</div><div><br></div><div>Thanks!</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Tom</div><div><div><br></div><div><br></div></div></font></span></div>
</blockquote></div><br></div>