changing OpenSAML namespace prefix

127 views
Skip to first unread message

Jeff Ott

unread,
Mar 28, 2012, 8:27:47 PM3/28/12
to d...@shibboleth.net, Jeff Ott
I am using Java OpenSAML 2.5.2 to generate a SAML response, and I'm
getting a Response prefix of saml1p (and the Assertion and enclosing
sections have a saml1 prefix). I'm hoping to change both the saml1p and
saml1 prefixes to be samlp, since a vendor I'm working with believes
their server might not be accepting the saml1p/saml1 combination for
some reason. This is some of the (hopefully relevant) code

import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml1.core.Assertion;
import org.opensaml.saml1.core.Response;
import org.opensaml.saml1.core.impl.ResponseBuilder;
import org.opensaml.saml1.core.impl.ResponseMarshaller;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.XMLObjectBuilderFactory;
import org.w3c.dom.Element;

public class SamlBuilder {

private static XMLObjectBuilderFactory builderFactory;
private static SecureRandomIdentifierGenerator generator;

static {
try {
DefaultBootstrap.bootstrap();
builderFactory = Configuration.getBuilderFactory();
generator = new SecureRandomIdentifierGenerator();

} catch (ConfigurationException e) {
new AccountUtilsLogger().error("unexpected exception", e);

} catch (NoSuchAlgorithmException e) {
new AccountUtilsLogger().error("unexpected exception", e);
}
}

public String buildSaml() {
ResponseBuilder responseBuilder = (ResponseBuilder)
builderFactory.getBuilder(Response.DEFAULT_ELEMENT_NAME);
Response authResponse = responseBuilder.buildObject();
...
SAMLObjectBuilder<?> assertionBuilder = (SAMLObjectBuilder<?>)
builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
Assertion assertion = (Assertion) assertionBuilder.buildObject();
...
authResponse.getAssertions().add(assertion);
...
Element element = new ResponseMarshaller().marshall(authResponse);
...
}
}

and the resulting Response looks something like this

<?xml version="1.0" encoding="UTF-8"?><saml1p:Response
xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2012-03-28T22:15:25.367Z" MajorVersion="1"
MinorVersion="1"
ResponseID="_c8891aaad0161d2f9e021f094e65267a"><saml1p:Status><saml1p:StatusCode
Value="saml1p:Success"/></saml1p:Status><saml1:Assertion
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_e1b3737432f1a639d908f24524c76d90"
IssueInstant="2012-03-28T22:15:25.367Z"
Issuer="https://www.purdue.edu/apps/account" MajorVersion="1"
MinorVersion="0"><saml1:Conditions NotBefore="2012-03-28T22:15:23.367Z"
NotOnOrAfter="2012-03-28T22:15:28.367Z"/><saml1:AuthenticationStatement
AuthenticationInstant="2012-03-28T22:15:25.367Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml1:Subject><saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">som...@purdue.edu</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement/></saml1:Assertion></saml1p:Response>

I am hoping someone can point me in the right direction for what code
changes to make, I'm not succeeding at figuring it out so far. I
appreciate the efforts of those who have developed and supported the
OpenSAML library, thanks for those efforts, and for your time in reading
this!

Jeff
--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net

Chad La Joie

unread,
Mar 28, 2012, 8:30:36 PM3/28/12
to Shib Dev
Well, if they don't support XML (which is what they're saying), then
good luck with whatever comes next.

But yes, you can change the prefix, just use the builder method that
takes the full element QName instead of relying on the default, no-arg
method.

Jeff Ott

unread,
Mar 29, 2012, 11:06:47 AM3/29/12
to Shib Dev, Chad La Joie, Jeff Ott
On 03/28/2012 08:30 PM, Chad La Joie wrote:
> Well, if they don't support XML (which is what they're saying), then
> good luck with whatever comes next.

Thanks, I need it :-)


> But yes, you can change the prefix, just use the builder method that
> takes the full element QName instead of relying on the default, no-arg
> method.

Thanks a million, that worked great!

Here's what I did, in case it is helpful to anyone else on the list:

String responsePrefix = "samlp";
String assertionPrefix = "saml";

QName responseQName = new QName(SAMLConstants.SAML10P_NS,
Response.DEFAULT_ELEMENT_LOCAL_NAME, responsePrefix);
ResponseBuilder responseBuilder = (ResponseBuilder)
builderFactory.getBuilder(responseQName);
Response authResponse = responseBuilder.buildObject(responseQName);

QName assertionQName = new QName(SAMLConstants.SAML1_NS,
Assertion.DEFAULT_ELEMENT_LOCAL_NAME, assertionPrefix);


SAMLObjectBuilder<?> assertionBuilder = (SAMLObjectBuilder<?>)

builderFactory.getBuilder(assertionQName);
Assertion assertion = (Assertion)
assertionBuilder.buildObject(assertionQName);

The only other snag I had was that StatusCode.SUCCESS hardcoded its own
prefix, but that was easy enough to get around, I just used new
QName(SAMLConstants.SAML10P_NS, "Success", responsePrefix) instead.

Thanks again Chad, the Java OpenSAML library is well engineered code,
and I certainly appreciate that when I'm reading it to figure out how to
use it.

Jeff

Chad La Joie

unread,
Mar 29, 2012, 11:16:00 AM3/29/12
to Shib Dev
Thanks Jeff,

As a general rule of thumb, you should be able to override any defaults
fairly easily. In places where you can't do it easily it's probably
that way intentionally to keep people from doing something that would be
bad.

That said, I'm sure there are probably places in the code where one or
both of the above statements aren't true.

Reply all
Reply to author
Forward
0 new messages