<samlp:Response> or <saml2p:Response> in the SAML response
John Dennis
jdennis at redhat.com
Tue May 2 14:30:16 EDT 2017
On 05/02/2017 12:52 PM, JohnWang wrote:
> Our Shibboleth IDP uses <saml2p:Response> in the SAML response. But, the SAML
> SP of our partner expects <samlp:Response> in the SAML response. Here are my
> questions.
> 1. Is it possible to configure Shibboleth IDP to reply to a specific
> EntityID with <samlp:Response> in the SAML response instead of
> <saml2p:Response>?
> 2. If an answer of the question 1 is yes, how to do it?
> 3. If an answer of the question 1 is no, is it possible to configure SAML SP
> to accept <saml2p:Response> in the SAML response?
> 4. If an answer of the question 3 is no, is there other way to go around the
> problem?
The issue of <saml2p:Response> vs. <samlp:Response> is one of XML
namespaces. The prefix on an XML tag (entity), in other words the part
that begins with some name and ends in a colon (e.g. saml2p: or samlp:)
is an XML namespace qualifier. It says find the name following the
namespace prefix in that namespace. Namespaces *must* be defined in the
XML entity enclosing the use of that namespace. For example:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
The xmlns is a namespace declaration. So either the namespace isn't
being properly defined or whoever is parsing the XML isn't processing
the namespace declaration and just assumes it's going to be something
without properly parsing the XML.
This issue is solely an XML issue. It does not have anything to do
directly with SAML.
--
John
More information about the users
mailing list