Hi Nadeesha, The specification[1] mentions <Issuer> element as optional. Please refer section "3.2.2 Complex Type StatusResponseType" in the specification. Also there is sample SAML Response in the section "5.4.6 Example" of the spec for quick reference.
This issuer element defines who issued the SAML Assertion and in SAML Response who issued the SAML Response. Hence there is the possibility for one party to issue the SAML assertion and another party to issue the SAML Response, seperately signing each element. [1] - https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Fri, Oct 2, 2015 at 10:36 AM, Nadeesha Meegoda <[email protected]> wrote: > Hi Danushka, > > Thanks for the response! I tested this without enabling the response > signing and assertion signing, but still the saml2:Issuer is duplicated in > both response and assertion. As per my reading on the saml spec in [1] the > Response doesn't contain an issuer, only the assertion contains the issuer > element which is noted in 3.4 Responses section. Please correct me if I'm > wrong. > > Full Response is attached for the above scenario mentioned ( without > enabling the response signing and assertion signing ) > > [1] - http://saml.xml.org/saml-specifications > > Thanks! > > On Thu, Oct 1, 2015 at 8:33 PM, Danushka Fernando <[email protected]> > wrote: > >> Hi Nadeesha >> The duplicate entry meant by you is under the saml assertion. Saml >> response object contains a saml assertion. And when you sign both response >> and assertion this entry includes into both objects. For more details you >> can refer to saml spec. [1] >> >> [1] http://saml.xml.org/saml-specifications >> >> Thanks & Regards >> Danushka Fernando >> Senior Software Engineer >> WSO2 inc. http://wso2.com/ >> Mobile : +94716332729 >> >> >> On Oct 1, 2015 7:10 PM, "Nadeesha Meegoda" <[email protected]> wrote: >> >>> Hi IS team, >>> >>> I am testing SAML SSO with travelocity app and when I signed in to the >>> app I noticed in the SAML authentication response getting duplicate entries >>> for saml2:Issuer, ds:Signature, ds:X509Certificate etc with the same >>> response data. Is there a special reason these are duplicated? Just need to >>> clarify! >>> >>> Noted below is the section that is duplicated in the response: >>> >>> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>> >mgt.is.wso2.com</saml2:Issuer> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> <ds:SignatureMethod Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>> <ds:Reference >>> URI="#bnlofhdfbehmnhiajimjohbkhepimciajocfmdkl"> >>> <ds:Transforms> >>> <ds:Transform Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>> <ds:Transform Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> </ds:Transforms> >>> <ds:DigestMethod Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>> >>> <ds:DigestValue>fiOel63mdz3HsEz2JrSbUgBvYDw=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> >>> <ds:SignatureValue>VgbMj1PIjJ0JFdyJ9AKaLkBnj7OD/prQahVU5WgdK9PAMvMedKt42pna+A5YznK0zLrzPKHAP/5VD6qHVPtF5LsYqJNEC4OTR1Mo2nzv34nOQxZZ95uxKBoxD/eVzgrqNBIzAecgSXvvYBj1ZlmjbJQoOuVxgdFOhOkz8S3bO+Q=</ds:SignatureValue> >>> <ds:KeyInfo> >>> <ds:X509Data> >>> >>> <ds:X509Certificate>MIICAzCCAWygAwIBAgIEb38jDjANBgkqhkiG9w0BAQQFADBGMRAwDgYDVQQDEwd5bWMuY29tMQ0wCwYDVQQLEwROb25lMRQwEgYDVQQKEwtOb25lIEw9Tm9uZTENMAsGA1UEBhMETm9uZTAeFw0xNTA4MjkwNjIxNDJaFw0yNTA5MjUwNjIxNDJaMEYxEDAOBgNVBAMTB3ltYy5jb20xDTALBgNVBAsTBE5vbmUxFDASBgNVBAoTC05vbmUgTD1Ob25lMQ0wCwYDVQQGEwROb25lMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPWrZjdgaHwd8FDZaOm57wz2fxSW4umTuyw8E8PnNwCkZqIGpxkJGqfEOzXhP38A84a7fwXUfCZuwetgvkU4vfqhHieqI5OiA02pZpBzWkYjpg8By6YeJyK4Vy4hB6yq1gTCaerqffeAfXWI0ILog9iwJtbAgfJUDqU9j5XEnMxQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAE8GmwMaydEFMb8hzvXjkX2pdjZto4S5AqaERjigR5OCsvcnuqNPspuAMyy7AC6xRCkKOfhFEfFcAHhExpqCfqFcuEhfqc3tL89eDyf1sxfnaoCPSWjgo/TirWSaaxcT2JAcWfGh74S77CHC/m9rZ9ozaTJRhzNw5RYEbWNKJEqc</ds:X509Certificate> >>> </ds:X509Data> >>> </ds:KeyInfo> >>> </ds:Signature> >>> >>> Full Response is attached with the mail. >>> >>> Highly appreciate an explanation on this! >>> >>> >>> Thanks >>> >>> -- >>> *Nadeesha Meegoda* >>> Software Engineer - QA >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> email : [email protected] >>> mobile: +94783639540 >>> <%2B94%2077%202273555> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> > > > -- > *Nadeesha Meegoda* > Software Engineer - QA > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > email : [email protected] > mobile: +94783639540 > <%2B94%2077%202273555> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
