OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] Resolving SAML and XML DSIG schemas when validatingSAML Assertio ns instances

> In our SAML processing implementation we prefer that we
> handle schema resolutions (for SAML Assertions as well as XML DSIG
> elements) from a local copy of their standard schema. 
> However, we prefer altering the SAML schema w.r.t. removing 
> the attribute 'schemaLocation' which is defined as part of the import 
> declaration in the SAML schema:

Any decent parser should permit overriding schemaLocation anyway, using a locally defined hint in combination with an entity
resolver of your own choosing. I didn't have to remove schemaLocation to use my own local copy of either schema.

> Question# 1:
> Will alteration of SAML v.1.0 Assertion schema w.r.t. 
> schemaLocation attribute cause any interoperability problems 
> w.r.t. generated SAML assertion instance?

Not if you remove it from *your* copy, no. As Rich noted, others may be using it for something (what I couldn't say), so it wouldn't
be removed from the official copy.

> Question#2:
> Will such modifications in the XML DISG schema cause any 
> interoperability problems in SAML Assertion and/or content 
> that is signed using XML DISG?

I did that to mine as well, and I'm pulling in the xml namespace directly via a local copy of the schema.

> Any clarifications would be appreciated. I'm also wondering 
> how folks have dealth with schema caching and the issue of 
> resolving instance against local vs (remote) standard schema location

I use custom resolvers to pull in my copies and let the parser do its grammar caching thing to speed things up. Performance doesn't
seem to be much of a concern, especially when you're doing SSL and digital signatures anyway. That's much worse (and we don't have
the bucks for crypto hardware).

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC