Exclusive XML Canonicalization 1.0 is not supported

[pederbl]

Exclusive XML Canonicalization 1.0 (exc_c14n) is not supported. See: http://www.w3.org/TR/xml-exc-c14n/

Unfortunately, I have not found any ruby library that supports Exclusive XML Canonicalization. However, the libxml2 package does have some (not very well documented) support for exc_c14n. Unfortunately, (again) libxml2-ruby doesn't expose exc_c14n in its canonicalize method.

As a first step I would prefer that an exception is raised (instead of the current silent ignore) for Assertions that include InclusiveNamespaces with PrefixList.

The best solution might be to add exc_c14n to libxml2-ruby and then switch to using libxml2-ruby instead of canonix.

[pederbl]

All of the standard Java SAML solutions that I have seen do support exc_c14n so it seems it may be widely used in SAML. E.g. the IdP that I use does canonicalize its xml with exc_c14n. So it would be really great if this support is added.

[pederbl]

I think ruby-saml should be made dependent on a Ruby library that has c extensions to xmlsec (http://www.aleksey.com/xmlsec/) instead of trying to fully implement the relevant parts of the XML Security specification. That would enable you to fully support XML Security with much less effort and fewer bugs. Unfortunately, there is no supported xmlsec library for Ruby. But, I think you could create that library and build partial support (initially with just one function: verify_xml), and end up saving a lot of effort.

Canonix doesn't support Exclusive XML Canonicalization 1.0 which is a standard algo for XML Security and thus SAML.

[stevenwilkin]

I've just modified ruby-saml to use xmlsec:

https://github.com/stevenwilkin/ruby-saml/tree/xmlsec

I've been working against an ADFS 2.0 identity provider and ruby-saml was falling over when verifying the response signatures.

A potential drawback to using xmlsec is that it requires a full certificate, not a fingerprint.

[curious-attempt-bunny]

Salesforce as an IdP use exc_c14n:

<ds:Transforms xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:Transform xmlns:ds='http://www.w3.org/2000/09/xmldsig#' Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
<ds:Transform xmlns:ds='http://www.w3.org/2000/09/xmldsig#' Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'>&lt;ec:InclusiveNamespaces xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#' PrefixList='ds saml samlp xs'/></ds:Transform>
</ds:Transforms>

Stevenwilken's fork is well over a year old. Does anyone else have exc_c14n working?

[curious-attempt-bunny]

FYI Nokogiri appears to have support for the exc-c14n transform:

sparklemotion/nokogiri#563

See XML::Node#canonicalize. http://nokogiri.org/Nokogiri/XML/Node.html#method-i-canonicalize

[stouset]

Canonicalization has been fixed in recent versions of ruby-saml. If you believe this issue persists, please explain further and reopen this issue. Thanks!