Update XML Security to work with PingFederate

[HHRy]

• Use XPATH rather than elements to find the signature
• Deal with where ampersands aren't escaped correctly

Hasn't materially changed behaviour and existing tests all pass.

[christianbpedersen]

Hi!

Where is the & not escaped? In the assertion from PingFederate? Could you post the part of the assertion showing the issue?

Thank you

[HHRy]

Just did a bit more digging into this:

The ampersands are being correctly escaped by PingFederate; but the XML Canonicalizer is what's unescaping them - see the assertion snippets below:

The hashed element before being canonicalized:

<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="lNCXZhIUOUXOEsUGrIYNlSKBOQ_" IssueInstant="2011-12-09T10:09:54.039Z" Version="2.0">
    <saml:Issuer>PF-DEMO</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">john</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2011-12-09T10:14:54.039Z" Recipient="http://test.smackaho.st:3000/auth/saml/callback"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2011-12-09T10:04:54.039Z" NotOnOrAfter="2011-12-09T10:14:54.039Z">
        <saml:AudienceRestriction>
            <saml:Audience>test</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2011-12-09T10:09:54.039Z" SessionIndex="lNCXZhIUOUXOEsUGrIYNlSKBOQ_">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
        <saml:Attribute Name="companyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">B &amp; G</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

And Afterwards:

<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="lNCXZhIUOUXOEsUGrIYNlSKBOQ_" IssueInstant="2011-12-09T10:09:54.039Z" Version="2.0">
    <saml:Issuer>PF-DEMO</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">john</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2011-12-09T10:14:54.039Z" Recipient="http://test.smackaho.st:3000/auth/saml/callback"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2011-12-09T10:04:54.039Z" NotOnOrAfter="2011-12-09T10:14:54.039Z">
        <saml:AudienceRestriction>
            <saml:Audience>fac</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2011-12-09T10:09:54.039Z" SessionIndex="lNCXZhIUOUXOEsUGrIYNlSKBOQ_">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="companyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">B & G</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

In the case of ampersands being present in attribute values, the canonicalized XML is invalid!