[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] Resolving SAML and XML DSIG schemas when validating SAMLAssertio ns instances
As part of validating SAML Assertion instances, it is required that we resolve the corresponding XML DSIG schema pertaining to the Assertion signature. Typically, the OASIS SAML v. 1.0 schema and also W3C XML DSIG schema should be resolved from their 'schemaLocation' over the http protocol. Furthermore, typically, if local copies of required schema are used we would expect that those schemas are unaltered. In our SAML processing implementation we prefer that we handle schema resolutions (for SAML Assertions as well as XML DSIG elements) from a local copy of their standard schema. However, we prefer altering the SAML schema w.r.t. removing the attribute 'schemaLocation' which is defined as part of the import declaration in the SAML schema: <?xml version="1.0" encoding="UTF-8"?> <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) --> <schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> This would enable us to use local copies of the SAML schema (and speed up validation of SAML Assertion instances) rather than doing schema retrieval over the internet. Semantically, this change in the schema does not alter the SAML assertion. Question# 1: Will alteration of SAML v.1.0 Assertion schema w.r.t. schemaLocation attribute cause any interoperability problems w.r.t. generated SAML assertion instance? Along the same lines, the corresponding XML DSIG schema, which would also need to be retrieved from the standard W3C XML DSIG schema location, the maintaince of local copies of XML DSIG schema poses problems w.r.t. use of doctype with a reference to DTD for xml schema. Standard parser behavior requires that we actually try to retrieve this DTD even though we do not attempt to validate schemas with it. We would like to remove the doctype declaration from our local copy of XML DSIG schema: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd" [ <!ATTLIST schema xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#"> <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'> <!ENTITY % p ''> <!ENTITY % s ''> ]> <!-- Schema for XML Signatures http://www.w3.org/2000/09/xmldsig# $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle Question#2: Will such modifications in the XML DISG schema cause any interoperability problems in SAML Assertion and/or content that is signed using XML DISG? Any clarifications would be appreciated. I'm also wondering how folks have dealth with schema caching and the issue of resolving instance against local vs (remote) standard schema location thanks, Zahid
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC