Friday, June 15, 2007

Interop (OpenSaml and PHP Infocard)

What I've had to do so far to get the PHP RP to accept an OpenSAML-created assertion:

1) Force namespace prefixes for all SAML elements. The default xmlns values are eventually processed by the PHP code, though are pushed to the end of the element (breaking c14n)
2) Turn off the inclusive namespace prefix directives
3) Disable all unused namespace declarations. Saml, Samlp, xsd, xsi, and a few others are declared within OpenSAML objects (presumably for flexibility)
4) Change the xmlsec encoding of the certificate, which pretty-prints the base64 certificate with various unneeded (but not egregious) whitespace
5) ... Eh, I started blogging too late to catch everything. 1-4 are the major changes.

It finally works though. These are all bugs with the PHP code so far as I can tell. Why change the IDP code then? Because it's pretty clear from the few RPs out there that Kim's code has made an impact and is used in many projects. The RP accepts some SAML, and ultimately interoperability comes first.

Hopefully he'll take it under advisement for the next revision.

No comments: