Subject: RE: Signing a SAML ArtifactResponse after adding SOAP binding elements
From what you are saying, they are including the whitespace when they sign the assertion, but you are removing the whitespace when you strip the XML out of the SOAP message and this causes the signature to be invalid.
Whitespace is significant within XML elements. You should not be removing whitespace within the XML structure when you strip the assertion from the element.
My task is to interoperate with the Dutch identity management system DigiD and we have some issues with their SAML 2 implementation.
The specific issue is with the artifact resolution protocol using the SOAP binding. We are finding that the ArtifactResponse message that we receive is digitally signed after adding the SOAP envelope / body elements. Because the document is sent over the wire in an indented format, we are having issues validating the signature. We first strip of the SOAP envelope and body, and then validate the message. The XML structure has then changed because the whitespace is different between sender and responder.
I am asking here to validate my assumption that you should:
- First generate a signed SAML message, then add binding specific elements for the binding you are using
- Prefer to send the XML over the wire in unformatted (non-indented) form to prevent representation issues between systems.
I find the specification to be not exactly clear on these points, especially the first.
Thanks! Hope you can help!