[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: is the "xsi:type" mandatory to be present for the AttributeValue in aSAML Response
Hi Scott,
We are a SAML 2.0 Identity Provider supporting only the HTTP Post
binding (web browser SSO).
The generated SAML response for a particular case looks like this :-
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute Name="email">
<saml:AttributeValue>bar@cisco.com</saml:AttributeValue>
<saml:AttributeValue>baz@ironport.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
The response from Ping Federate looks like this :-
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema";>
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="email">
<saml:AttributeValue
xsi:type="xs:string">bar@cisco.com</saml:AttributeValue>
<saml:AttributeValue
xsi:type="xs:string">baz@ironport.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Note that the PingFederate's AttributeValue has a "xsi:type" which we
don't have.
Now the SP is claiming that it cannot process our response because of
the missing datatype. They are using OpenSAML library and they are
unable to parse the response.
If I read the saml-core documents correctly, it implies that the
datatype is optional in case the type is string or integer (.. "the
datatype MAY be declared explicitly" .. )
<AttributeValue> [Any Number]
Contains a value of the attribute. If an attribute contains more than
one discrete value, it is
RECOMMENDED that each value appear in its own <AttributeValue>
element. If more than
one <AttributeValue> element is supplied for an attribute, and any of
the elements have a
datatype assigned through xsi:type, then all of the <AttributeValue>
elements must have
the identical datatype assigned.
Element <AttributeValue>
The <AttributeValue> element supplies the value of a specified SAML
attribute. It is of the
xs:anyType type, which allows any well-formed XML to appear as the
content of the element.
If the data content of an <AttributeValue> element is of an XML Schema
simple type (such as
xs:integer or xs:string), the datatype MAY be declared explicitly by
means of an xsi:type declaration
in the <AttributeValue> element. If the attribute value contains
structured data, the necessary data
elements MAY be defined in an extension schema.
Note: Specifying a datatype other than an XML Schema simple type on
<AttributeValue> using xsi:type will require the presence of the
extension schema
that defines the datatype in order for schema processing to proceed.
If a SAML attribute includes an empty value, such as the empty string,
the corresponding
<AttributeValue> element MUST be empty (generally this is serialized
as <AttributeValue/>).
This overrides the requirement in Section 1.3.1 that string values in
SAML content contain at least one
non-whitespace character.
If a SAML attribute includes a "null" value, the corresponding
<AttributeValue> element MUST be
empty and MUST contain the reserved xsi:nil XML attribute with a value
of "true" or "1".
Is our SAML response syntactically correct and can you please confirm
that the issue lies on the SP side.
Thanks for your help as always.
--
With best regards,
Bhaskar.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]