OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [saml-dev] Resolving SAML and XML DSIG schemas when validating SAMLAssertio ns instances

As part of validating SAML Assertion instances, it is required that we
resolve
the corresponding XML DSIG schema pertaining to the Assertion signature.

Typically, the OASIS SAML v. 1.0 schema and also W3C XML DSIG
schema should be resolved from their 'schemaLocation' over the http
protocol. Furthermore, typically, if local copies of required schema
are used we would expect that those schemas are unaltered.

In our SAML processing implementation we prefer that we
handle schema resolutions (for SAML Assertions as well as XML DSIG
elements) from a local copy of their standard schema. However, we
prefer altering the SAML schema w.r.t. removing the attribute 
'schemaLocation' which is defined as part of the import declaration in 
the SAML schema:

<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill
Hallam-Baker (VeriSign Inc.) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="unqualified">

<import namespace="http://www.w3.org/2000/09/xmldsig#";
schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>

This would enable us to use local copies of the SAML schema (and
speed up validation of SAML Assertion instances) rather than doing
schema retrieval over the internet. Semantically, this change in the
schema does not alter the SAML assertion. 


Question# 1:
Will alteration of SAML v.1.0 Assertion schema w.r.t. schemaLocation
attribute
cause any interoperability problems w.r.t. generated SAML assertion
instance?

Along the same lines, the corresponding XML DSIG schema, which would
also need to be retrieved from the standard W3C XML DSIG schema location,
the maintaince of local copies of XML DSIG schema poses problems w.r.t.
use of doctype with a reference to DTD for xml schema. Standard parser 
behavior requires that we actually try to retrieve this DTD even though
we do not attempt to validate schemas with it. We would like to remove 
the doctype declaration from our local copy of XML DSIG schema:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema
  PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
"http://www.w3.org/2001/XMLSchema.dtd";
 [
   <!ATTLIST schema 
     xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#";>
   <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
   <!ENTITY % p ''>
   <!ENTITY % s ''>
  ]>

<!-- Schema for XML Signatures
    http://www.w3.org/2000/09/xmldsig#
    $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle 


Question#2:
Will such modifications in the XML DISG schema cause any interoperability
problems
in SAML Assertion and/or content that is signed using XML DISG?

Any clarifications would be appreciated. I'm also wondering how folks have
dealth with schema caching and the issue of resolving instance against 
local vs (remote) standard schema location

thanks,
Zahid

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC