Hi, Guys,
I have a fight with F5 on SAML authentication, and I have narrowed it down to XML canonicalization. Please check the link for the data http://nano-art.blogspot.co.uk/2013/05/saml-authentication-on-f5-big-ip- part-3.html Now I got their response which put me in the dark, as I have no knowledge on C14N. Do you admit Apache Santuario was wrong on XML canonicalization? Many thanks, Mike Ma " After analyzing the data, PD has determined that APM is using "exclusive canonicalization" and Apache Santuario just "canonicalization" F5 is doing exclusive canonicalization which is right and Apache Santuario is doing just Canonicalization even though it says it is doing exclusive canonicalization from the Assertion content. >From : http://www.w3.org/TR/xml-exc-c14n/ namespace nodes that are not on the InclusiveNamespaces PrefixList are expressed only in start tags where they are visible and if they are not in effect from an output ancestor of that tag. From: http://www.w3.org/Signature/2002/02/01-exc-c14n-interop.html The first occurence of a namespace node occurs on elements nodes where it is actually utilzied. In the case of F5: the name space declaration for "xmlns:ds" is added for Signature element and that is where it is used first. the name space declaration for 'xmlns:saml' is added to 'Assertion' element and that is where it is used first. "
