The SAML XML feature of the Outgoing WSS configuration does not preserve the formatting of the SAML token as it is entered in the text box. This breaks the signature of a signed SAML assertion causing the server to reject the validity of the SAML token.
Steps to repro:
- Create a new project and bind it to a web service
- Right click on the project and select Project View, then WS-Security Configurations, then the Outgoing WS-Security Configurations tab
- Add a new security configuration by clicking the + sign just under the tabs
- Then add a new WSS entry by clicking the + sign in the middle of the form. Select "SAML (XML)" and click OK.
- Enter a SAML token that has been signed using standard XML signature capability and that contains embedded white space for indentation and human readability of the XML
- Apply the outgoing WSS to a request and submit the request
- View the HTTP log to inspect the formatting of the SAML token as it was actually sent across the wire. The token will be reformatted and most of the embedded whitespace will have been removed
Expected behavior is that the SAML token would be injected into the outgoing WSS headers verbatim without any whitespace character stripping, so that the signature's validity on the SAML token would be preserved.
Log in to post a comment.