Hi everybody,

We are running into a specific issue related to the SAML Extensions recently implement in ISAM 9.0.6.

In order to implement PSD2 requirements on our webbanking application, we need to customize the SAML requests that are sent to our IdentityProvider partner with those SAML Extensions, via mapping rules.

On that side, everything works as intended, we are able to add the extensions that are expected by our partner for contextualization the strong authentication.


Unfortunately on our partner side they are running into xml parsing errors because an xml namespace is missing from the AuthnRequest.

Here is the start of the AuthnRequest tag generated by ISAM, where we can see that standard saml namespaces:

<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

We would need to add the following xml namespace to comply with the xml parser of our IDP partner:

xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"


I haven't find any way to do this unfortunately on ISAM, and I am afraid that it isn't possible at all at the moment.
Does anyone have any idea how it would be possible to add that specific namespace ?


This issue is absolutely critical from a business point of view because PSD2 requirements are mandatory per european banking regulations, and we need to know if we will be able to finish implementing them using ISAM before the legal deadline that is only a few months away.

We are also working with our IDP partner, so they check if it would be acceptable to make the xml parser more relaxed, but I'm afraid that from their point of view it will be a no-no, as they could impact dozens of integrations with other service providers.

Thanks for any feedback that could lead to a solution or a workaround to this issue.

------------------------------
André Leruitte
------------------------------

Hi Andre,

I'm intrigued to know where that namespace appears within the assertion that you are sending.  is it associated with a custom attribute value ?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: 03-22-2019 11:54 AM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi everybody,

We are running into a specific issue related to the SAML Extensions recently implement in ISAM 9.0.6.

In order to implement PSD2 requirements on our webbanking application, we need to customize the SAML requests that are sent to our IdentityProvider partner with those SAML Extensions, via mapping rules.

On that side, everything works as intended, we are able to add the extensions that are expected by our partner for contextualization the strong authentication.


Unfortunately on our partner side they are running into xml parsing errors because an xml namespace is missing from the AuthnRequest.

Here is the start of the AuthnRequest tag generated by ISAM, where we can see that standard saml namespaces:

<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

We would need to add the following xml namespace to comply with the xml parser of our IDP partner:

xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"


I haven't find any way to do this unfortunately on ISAM, and I am afraid that it isn't possible at all at the moment.
Does anyone have any idea how it would be possible to add that specific namespace ?


This issue is absolutely critical from a business point of view because PSD2 requirements are mandatory per european banking regulations, and we need to know if we will be able to finish implementing them using ISAM before the legal deadline that is only a few months away.

We are also working with our IDP partner, so they check if it would be acceptable to make the xml parser more relaxed, but I'm afraid that from their point of view it will be a no-no, as they could impact dozens of integrations with other service providers.

Thanks for any feedback that could lead to a solution or a workaround to this issue.

------------------------------
André Leruitte
------------------------------

Hi Jon,

thanks for your quick reply.

This is what we create as custom attribute in the SAML extensions :



We tried replacing "luxtrust" by "saml" (that is a declared namespace) but their strict xml parser still refuses it, as it doesn't match the expected element type.

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: 03-22-2019 12:06 PM
From: Jon Harry
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi Andre,

I'm intrigued to know where that namespace appears within the assertion that you are sending.  is it associated with a custom attribute value ?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: 03-22-2019 11:54 AM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi everybody,

We are running into a specific issue related to the SAML Extensions recently implement in ISAM 9.0.6.

In order to implement PSD2 requirements on our webbanking application, we need to customize the SAML requests that are sent to our IdentityProvider partner with those SAML Extensions, via mapping rules.

On that side, everything works as intended, we are able to add the extensions that are expected by our partner for contextualization the strong authentication.


Unfortunately on our partner side they are running into xml parsing errors because an xml namespace is missing from the AuthnRequest.

Here is the start of the AuthnRequest tag generated by ISAM, where we can see that standard saml namespaces:

<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

We would need to add the following xml namespace to comply with the xml parser of our IDP partner:

xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"


I haven't find any way to do this unfortunately on ISAM, and I am afraid that it isn't possible at all at the moment.
Does anyone have any idea how it would be possible to add that specific namespace ?


This issue is absolutely critical from a business point of view because PSD2 requirements are mandatory per european banking regulations, and we need to know if we will be able to finish implementing them using ISAM before the legal deadline that is only a few months away.

We are also working with our IDP partner, so they check if it would be acceptable to make the xml parser more relaxed, but I'm afraid that from their point of view it will be a no-no, as they could impact dozens of integrations with other service providers.

Thanks for any feedback that could lead to a solution or a workaround to this issue.

------------------------------
André Leruitte
------------------------------

I don't remember exactly how the extension is coded but could you add the namespace definition to the element tag in the extension? Or could you fully qualify the name in the tag name?

Either if the above should satisfy the parser I think.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: 03-22-2019 12:12 PM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi Jon,

thanks for your quick reply.

This is what we create as custom attribute in the SAML extensions :

<samlp:Extensions>

<luxtrust:Challenge>PENoYWxsZW5nZVN0cnVjdHVyZT48VHlwZT5WQVNDTzwvVHlwZT48VmVyc2lvbj4xLjA8L1ZlcnNpb24+PFRpdGxlPkFVVEhFTlRJQ0FUSU9OPC9UaXRsZT48T3BlcmF0aW9uPkFVVEg8L09wZXJhdGlvbj48S2V5VmFsdWVzPjxLZXlWYWx1ZT48S2V5Pk5PTTwvS2V5PjxWYWx1ZSBjb2xvcj0iZGVmYXVsdCI+Qk9CIExFIEJSSUNPTEVVUjwvVmFsdWU+PC9LZXlWYWx1ZT48L0tleVZhbHVlcz48L0NoYWxsZW5nZVN0cnVjdHVyZT4=</luxtrust:Challenge>

</samlp:Extensions>

We tried replacing "luxtrust" by "saml" (that is a declared namespace) but their strict xml parser still refuses it, as it doesn't match the expected element type.

------------------------------
André Leruitte

Original Message:
Sent: 03-22-2019 12:06 PM
From: Jon Harry
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi Andre,

I'm intrigued to know where that namespace appears within the assertion that you are sending.  is it associated with a custom attribute value ?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: 03-22-2019 11:54 AM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi everybody,

We are running into a specific issue related to the SAML Extensions recently implement in ISAM 9.0.6.

In order to implement PSD2 requirements on our webbanking application, we need to customize the SAML requests that are sent to our IdentityProvider partner with those SAML Extensions, via mapping rules.

On that side, everything works as intended, we are able to add the extensions that are expected by our partner for contextualization the strong authentication.


Unfortunately on our partner side they are running into xml parsing errors because an xml namespace is missing from the AuthnRequest.

Here is the start of the AuthnRequest tag generated by ISAM, where we can see that standard saml namespaces:

<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

We would need to add the following xml namespace to comply with the xml parser of our IDP partner:

xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"


I haven't find any way to do this unfortunately on ISAM, and I am afraid that it isn't possible at all at the moment.
Does anyone have any idea how it would be possible to add that specific namespace ?


This issue is absolutely critical from a business point of view because PSD2 requirements are mandatory per european banking regulations, and we need to know if we will be able to finish implementing them using ISAM before the legal deadline that is only a few months away.

We are also working with our IDP partner, so they check if it would be acceptable to make the xml parser more relaxed, but I'm afraid that from their point of view it will be a no-no, as they could impact dozens of integrations with other service providers.

Thanks for any feedback that could lead to a solution or a workaround to this issue.

------------------------------
André Leruitte
------------------------------

Jon,

We just tested that solution a few minutes ago, and I can confirm that it works!
We just had to add the attribute on the custom node:
.setAttribute("xmlns:luxtrust","urn:lu:luxtrust:names:tc:SAML:2.0:assertion");

And the way the extension was developped by you guys makes the final AuthnRequest xml totally clean, by putting all namespace declarations at the top :
<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

This is really greatnews! For a few hours I was afraid that we were definitively stuck, but now I can finally leave for my weekend with the mind at ease  :)

Thanks for your support Jon!

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: 03-22-2019 12:19 PM
From: Jon Harry
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

I don't remember exactly how the extension is coded but could you add the namespace definition to the element tag in the extension? Or could you fully qualify the name in the tag name?

Either if the above should satisfy the parser I think.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: 03-22-2019 12:12 PM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi Jon,

thanks for your quick reply.

This is what we create as custom attribute in the SAML extensions :

<samlp:Extensions>

<luxtrust:Challenge>PENoYWxsZW5nZVN0cnVjdHVyZT48VHlwZT5WQVNDTzwvVHlwZT48VmVyc2lvbj4xLjA8L1ZlcnNpb24+PFRpdGxlPkFVVEhFTlRJQ0FUSU9OPC9UaXRsZT48T3BlcmF0aW9uPkFVVEg8L09wZXJhdGlvbj48S2V5VmFsdWVzPjxLZXlWYWx1ZT48S2V5Pk5PTTwvS2V5PjxWYWx1ZSBjb2xvcj0iZGVmYXVsdCI+Qk9CIExFIEJSSUNPTEVVUjwvVmFsdWU+PC9LZXlWYWx1ZT48L0tleVZhbHVlcz48L0NoYWxsZW5nZVN0cnVjdHVyZT4=</luxtrust:Challenge>

</samlp:Extensions>

We tried replacing "luxtrust" by "saml" (that is a declared namespace) but their strict xml parser still refuses it, as it doesn't match the expected element type.

------------------------------
André Leruitte

Original Message:
Sent: 03-22-2019 12:06 PM
From: Jon Harry
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi Andre,

I'm intrigued to know where that namespace appears within the assertion that you are sending.  is it associated with a custom attribute value ?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: 03-22-2019 11:54 AM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi everybody,

We are running into a specific issue related to the SAML Extensions recently implement in ISAM 9.0.6.

In order to implement PSD2 requirements on our webbanking application, we need to customize the SAML requests that are sent to our IdentityProvider partner with those SAML Extensions, via mapping rules.

On that side, everything works as intended, we are able to add the extensions that are expected by our partner for contextualization the strong authentication.


Unfortunately on our partner side they are running into xml parsing errors because an xml namespace is missing from the AuthnRequest.

Here is the start of the AuthnRequest tag generated by ISAM, where we can see that standard saml namespaces:

<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

We would need to add the following xml namespace to comply with the xml parser of our IDP partner:

xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"


I haven't find any way to do this unfortunately on ISAM, and I am afraid that it isn't possible at all at the moment.
Does anyone have any idea how it would be possible to add that specific namespace ?


This issue is absolutely critical from a business point of view because PSD2 requirements are mandatory per european banking regulations, and we need to know if we will be able to finish implementing them using ISAM before the legal deadline that is only a few months away.

We are also working with our IDP partner, so they check if it would be acceptable to make the xml parser more relaxed, but I'm afraid that from their point of view it will be a no-no, as they could impact dozens of integrations with other service providers.

Thanks for any feedback that could lead to a solution or a workaround to this issue.

------------------------------
André Leruitte
------------------------------

Great news and thanks for following up with the full solution.

Have a good weekend :-)

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: 03-22-2019 12:26 PM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Jon,

We just tested that solution a few minutes ago, and I can confirm that it works!
We just had to add the attribute on the custom node:
.setAttribute("xmlns:luxtrust","urn:lu:luxtrust:names:tc:SAML:2.0:assertion");

And the way the extension was developped by you guys makes the final AuthnRequest xml totally clean, by putting all namespace declarations at the top :
<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

This is really greatnews! For a few hours I was afraid that we were definitively stuck, but now I can finally leave for my weekend with the mind at ease  :)

Thanks for your support Jon!

------------------------------
André Leruitte

Original Message:
Sent: 03-22-2019 12:19 PM
From: Jon Harry
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

I don't remember exactly how the extension is coded but could you add the namespace definition to the element tag in the extension? Or could you fully qualify the name in the tag name?

Either if the above should satisfy the parser I think.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: 03-22-2019 12:12 PM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi Jon,

thanks for your quick reply.

This is what we create as custom attribute in the SAML extensions :

<samlp:Extensions>

<luxtrust:Challenge>PENoYWxsZW5nZVN0cnVjdHVyZT48VHlwZT5WQVNDTzwvVHlwZT48VmVyc2lvbj4xLjA8L1ZlcnNpb24+PFRpdGxlPkFVVEhFTlRJQ0FUSU9OPC9UaXRsZT48T3BlcmF0aW9uPkFVVEg8L09wZXJhdGlvbj48S2V5VmFsdWVzPjxLZXlWYWx1ZT48S2V5Pk5PTTwvS2V5PjxWYWx1ZSBjb2xvcj0iZGVmYXVsdCI+Qk9CIExFIEJSSUNPTEVVUjwvVmFsdWU+PC9LZXlWYWx1ZT48L0tleVZhbHVlcz48L0NoYWxsZW5nZVN0cnVjdHVyZT4=</luxtrust:Challenge>

</samlp:Extensions>

We tried replacing "luxtrust" by "saml" (that is a declared namespace) but their strict xml parser still refuses it, as it doesn't match the expected element type.

------------------------------
André Leruitte

Original Message:
Sent: 03-22-2019 12:06 PM
From: Jon Harry
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi Andre,

I'm intrigued to know where that namespace appears within the assertion that you are sending.  is it associated with a custom attribute value ?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: 03-22-2019 11:54 AM
From: André Leruitte
Subject: Federation - Customizing xml namespace of the AuthnRequest generated by ISAM when using SAML Extensions

Hi everybody,

We are running into a specific issue related to the SAML Extensions recently implement in ISAM 9.0.6.

In order to implement PSD2 requirements on our webbanking application, we need to customize the SAML requests that are sent to our IdentityProvider partner with those SAML Extensions, via mapping rules.

On that side, everything works as intended, we are able to add the extensions that are expected by our partner for contextualization the strong authentication.


Unfortunately on our partner side they are running into xml parsing errors because an xml namespace is missing from the AuthnRequest.

Here is the start of the AuthnRequest tag generated by ISAM, where we can see that standard saml namespaces:

<samlp:AuthnRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

We would need to add the following xml namespace to comply with the xml parser of our IDP partner:

xmlns:luxtrust="urn:lu:luxtrust:names:tc:SAML:2.0:assertion"


I haven't find any way to do this unfortunately on ISAM, and I am afraid that it isn't possible at all at the moment.
Does anyone have any idea how it would be possible to add that specific namespace ?


This issue is absolutely critical from a business point of view because PSD2 requirements are mandatory per european banking regulations, and we need to know if we will be able to finish implementing them using ISAM before the legal deadline that is only a few months away.

We are also working with our IDP partner, so they check if it would be acceptable to make the xml parser more relaxed, but I'm afraid that from their point of view it will be a no-no, as they could impact dozens of integrations with other service providers.

Thanks for any feedback that could lead to a solution or a workaround to this issue.

------------------------------
André Leruitte
------------------------------