Re: [saml-dev] Signing a SAML ArtifactResponse after adding SOAP binding elements

["Cantor, Scott" <cantor.2@osu.edu>]

On 11/5/12 2:57 PM, "Wouter van Vugt" <wouter@code-counsel.net> wrote:

>The specific issue is with the artifact resolution protocol using the
>SOAP binding. We are finding that the ArtifactResponse message that we
>receive is digitally signed
>after adding the SOAP envelope / body elements.

That's fine as long as it's a properly created signature with a reference
to the ID in the ArtifactResponse message.

> Because the document is sent over the wire in an indented format, we are
>having issues validating the signature.

That's independent of the other issue.

> We first strip of the SOAP envelope and body, and then validate the
>message.

There is no requirement that the ArtifactResponse alone is in canonical
form. In other words, if you blindly strip the surrounding elements, you
could strip out namespaces that are needed below. If you do it more
intelligently, then it's possible, but generally not a great idea.

> The XML structure has then changed because the whitespace is different
>between sender and responder.

That is again orthogonal. If the whitespace changes within the signed
content, whoever changed it has a bug.

> 
>I am asking here to validate my assumption that you should:
>- First generate a signed SAML message, then add binding specific
>elements for the binding you are using

As a general practice, yes, but as a MUST? No.

>- Prefer to send the XML over the wire in unformatted (non-indented) form
>to prevent representation issues between systems.

I would say that's a matter of preference. It's not the indenting that's a
problem, it's changing it. That's true whether you start indented or not.

> 
>I find the specification to be not exactly clear on these points,
>especially the first.

No, because it's not a requirement.

-- Scott