Long time, no post...

15 June 2007

Just throwing out notes before I forget.

Kim's PHP Infocard implementation appears to have a problem with its canonicalization routine. To demonstrate, let's look at this example assertion element:

<assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" assertionid="uuid-1B045A32-5024-B4EB-93AE-0D718C87BC0D" issueinstant="2007-06-15T22:35:05.993Z" issuer="https://xxx" majorversion="1" minorversion="1">...

Which, in this case, ends up being the spec compliant. The PHP code incorrectly forms:

<assertion assertionid="uuid-1B045A32-5024-B4EB-93AE-0D718C87BC0D" issueinstant="2007-06-15T22:35:05.993Z" issuer="https://xxx" majorversion="1" minorversion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion">

This places the namespace after the attributes, which violates the spec. There are a couple of other little quirks I'm hitting which I'll post as I find them.

Related Posts

• 28 Jul 2015 » Hiding Secrets in Android Apps
• 16 Jul 2015 » This is an intervention. Stop storing secrets in your apps.
• 13 Jul 2015 » Configuring CouchDB-Lucene with Tomcat