Marshalling an assertion into a new document does not preserve its IDness
Basics
Logistics
Basics
Logistics
Description
Using Opensaml marshaller to marshall a SAML assertion with a cached DOM element into a new Document does not update Document's id attributes and as result, searching for the assertion by its id (Document.getElementById()) returns null. Opensaml uses Document.adoptNode to add the cached assertion DOM element to the new Document, but this API does not update Document ID attributes. This has been discussed previously in Xerces mailing list (see XERCESJ-1022) and it was stated that according to the DOM spec, the adoptNode() API is not required to register the ID attributes. This means that Opensaml has to take care to register the ID attribute of the assertion into the new Document to ensure the assertion can be looked up by its id.
I'm attaching a test case against Opensaml 2.6.6, assuming that this issue is present in 3.x as well as per the discussion in the mailing list:
Fixed in c1423fcff610e75510386bc995a062f46aa0a5cf.
In AbstractXMLObjectMarshaller we now split the marshalling of attribute IDness out to a separate method from the attribute data. XMLObject marshallers which have ID attributes should override this new method and do the right thing. The impl in AbstractXMLObjectMarshaller automatically handles the AttributeMap of AttributeExtensibleXMLObject instances.
Scott CantorApril 17, 2020 at 1:13 PM
This is noticeable in the IdP now when an upstream proxied IdP encrypts a signed assertion, I assume because the unmarshalled assertion after decryption loses track of the IDness when it's put back in.
Former userNovember 29, 2016 at 12:08 PM
We have been able to reproduce the issue using OpenSAML 3.3.0.
In our case we discovered it while writing some unit tests to validate the signature of an assertion. When the assertion is included in a response and then the response is signed, the signature of the assertion cannot be validated anymore. There are two workarounds: marshall and then unmarshall the assertion, or set manually "ID" in the DOM of the assertion.
Using Opensaml marshaller to marshall a SAML assertion with a cached DOM element into a new Document does not update Document's id attributes and as result, searching for the assertion by its id (Document.getElementById()) returns null.
Opensaml uses Document.adoptNode to add the cached assertion DOM element to the new Document, but this API does not update Document ID attributes. This has been discussed previously in Xerces mailing list (see XERCESJ-1022) and it was stated that according to the DOM spec, the adoptNode() API is not required to register the ID attributes.
This means that Opensaml has to take care to register the ID attribute of the assertion into the new Document to ensure the assertion can be looked up by its id.
I'm attaching a test case against Opensaml 2.6.6, assuming that this issue is present in 3.x as well as per the discussion in the mailing list:
http://marc.info/?l=shibboleth-dev&m=145460798719146&w=2