Subject: Signing a SAML ArtifactResponse after adding SOAP binding elements
My task is to interoperate with the Dutch identity management system DigiD and we have some issues with their SAML 2 implementation.
The specific issue is with the artifact resolution protocol using the SOAP binding. We are finding that the ArtifactResponse message that we receive is digitally signed after adding the SOAP envelope / body elements. Because the document is sent over the wire in an indented format, we are having issues validating the signature. We first strip of the SOAP envelope and body, and then validate the message. The XML structure has then changed because the whitespace is different between sender and responder.
I am asking here to validate my assumption that you should:
- First generate a signed SAML message, then add binding specific elements for the binding you are using
- Prefer to send the XML over the wire in unformatted (non-indented) form to prevent representation issues between systems.
I find the specification to be not exactly clear on these points, especially the first.
Thanks! Hope you can help!