Re: SAML in message response body

Tue, 06 Jun 2006 05:50:41 -0700

Why are you adding a <samlp:Response> element to the message? I would only expect to see this element when you're using the SAML protocol to request a SAML token from a SAML provider, and in that case, I would expect the SAML response to be returned in the Body--but you should not return your <lmco:authenticateResponse> in the same Body.

If your goal is to return a SAML authentication assertion with the <lmco:authenticateResponse>, then you should do so using a WS-Security header and a SAML token. (i.e, don't use the SAML protocol).

See http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf

Alternatively, you could define your <lmco:authenticationResponse> element to contain the <samlp:Response> (assuming the application wants to manipulate the SAML assertion).

Anne

On 6/5/06, Flores, Raul <[EMAIL PROTECTED]> wrote:

I built an axis client/service which adds a SAMLResponse to an outgoing message's soap body (see below).  The wsdl for this service has no reference to the SAML part of the response.  My question is: Can I get the client to ignore the SAML in this response? Currently the client throws exceptions (deserializer trying to parse the SAML). I believe this is due to the namespaces.

Is the normal way of dealing with this a handler, and the handler removes the SAML message parts?



<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ " xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Body>
<samlp:Response InResponseTo="samlRequestId" IssueInstant="2006-06-05T15:13:09.791Z" MajorVersion="1" MinorVersion="1" ResponseID="_79bea274618ceea7c1a608606ceacd40" xmlns="urn:oasis:names:tc:SAML: 1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">

<samlp:Status>
<samlp:StatusCode Value="samlp:Responder"/>
<samlp:StatusMessage>you did it this time</samlp:StatusMessage>
</samlp:Status>
<saml:Assertion AssertionID="_1f5c1843b3d8c8cf1f300c35e6466a2a" IssueInstant="2006-06-05T15:13:09.791Z" Issuer="statementIssuer" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML: 1.0:assertion">

<saml:AuthenticationStatement AuthenticationInstant="2006-06-05T15:13:09.244Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">

<saml:Subject>
<saml:NameIdentifier NameQualifier="www.lockheed.com">uid=p0</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</samlp:Response>
<authenticateResponse xmlns="http://saml.ras.lmco.com/samlService/ ">
<operationStatus>
<message>allowed</message>
<methodStatus>true</methodStatus>
</operationStatus>
</authenticateResponse>
</soapenv:Body>
</soapenv:Envelope>



Thanks,

Raul Flores
Lockheed Martin Aeronautics Company



Reply via email to