<samlp:Response> or <saml2p:Response> in the SAML response

John Dennis jdennis at redhat.com
Tue May 2 14:30:16 EDT 2017

On 05/02/2017 12:52 PM, JohnWang wrote:
> Our Shibboleth IDP uses <saml2p:Response> in the SAML response. But, the SAML
> SP of our partner expects <samlp:Response> in the SAML response. Here are my
> questions.
> 1. Is it possible to configure Shibboleth IDP to reply to a specific
> EntityID with  <samlp:Response> in the SAML response instead of
> <saml2p:Response>?
> 2. If an answer of the question 1 is yes, how to do it?
> 3. If an answer of the question 1 is no, is it possible to configure SAML SP
> to accept <saml2p:Response> in the SAML response?
> 4. If an answer of the question 3 is no, is there other way to go around the
> problem?

The issue of <saml2p:Response> vs. <samlp:Response> is one of XML 
namespaces. The prefix on an XML tag (entity), in other words the part 
that begins with some name and ends in a colon (e.g. saml2p: or samlp:) 
is an XML namespace qualifier. It says find the name following the 
namespace prefix in that namespace. Namespaces *must* be defined in the 
XML entity enclosing the use of that namespace. For example:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

The xmlns is a namespace declaration. So either the namespace isn't 
being properly defined or whoever is parsing the XML isn't processing 
the namespace declaration and just assumes it's going to be something 
without properly parsing the XML.

This issue is solely an XML issue. It does not have anything to do 
directly with SAML.


More information about the users mailing list