[xmlsec] Using schemas instead of DTD

Tom Burdick thomas.burdick at gmail.com
Tue May 19 07:41:26 PDT 2015 

In the xmlsec1 manpage in the --id-attr section it says "use a DTD or
schema"

How would I use a schema with xmlsec1? No other mention of schema is made
in the man page.

I'd like to use the saml schemas rather than a DTD as I've ran in to
trouble with shibboleth and opensaml now with signed saml messages.
Shibboleth appears to require a ds:Reference to have a URI attribute but
dislikes having DTD's in the document.

I've gotten this document to be signed by adding the FAQ suggested DTD,
only to see opensaml spew out an error about DTD's have been disabled.
Presumably because they are using the schemas.

I've not been able to get this signed using the --id-attr:ID suggestion
given in the FAQ.

So my template looks like....

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest samlp:xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
ID="abc123"
    Version="2.0" IssueInstant="2015-05-19T13:53:57Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    AssertionConsumerServiceURL="https://some.valid.url/saml_consume">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
        https://some.valid.url
    </saml:Issuer>
    <samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
            <ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#abc123">
                <ds:Transforms>
                    <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue/>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue/>
    </ds:Signature>
</samlp:AuthnRequest>

Any help is much appreciated.

Thanks!

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20150519/0807c697/attachment.html>

More information about the xmlsec mailing list