Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Validation can be done in two ways, by validating the DOM (before unmarshalling ; validation of XML, during parsing or after marshalling) against the SAML schemas or by validating SAMLObjects (after unmarshalling or before marshalling) with Validators, or validation of the SAMLObjects.

XML

...

Validation

XML schemas for validating SAML 1.0, 1.1, and 2.0 XML are available from the org.opensaml.common.xml.ParesPoolManager provides two methods for validating a document against the SAML schemas. validate(Document) will validate XML documents using either the SAML 1.1 or SAML 2.0 schemas. validate10(Document) will validate XML document using either the SAML 1.0 or SAML 2.0 schemas. The reason for the two methods has to do with a mistake made when defining the SAML 1.1 XML Schema (namely putting it in the same namespace as the SAML 1.0 schema). However, both SAML 1.0 and SAML 1.1 schemas are composable with SAML 2.0 and so both methods allow for SAML 2.0 validation..SAMLSchemaBuilder class. In theory, it should have been possible to load all the XML schemas into one Schema object, however a conflict in the naming of the SAML 1.0 and 1.1 schemas prohibits this. Therefore this class provides two methods, getSAML10Schema() and getSAML11Schema(), both of which can be used to validate SAML 2.0 since its schema is composable with SAML 1.0 or 1.1.

To validate XML as you parse it with the org.opensaml.xml.parse.ParserPool simply fetch the appropriate schema from the SAMLSchemaBuilder and add it to the parser pool via the setSchema(Schema) method. If the parser pool has been in use prior to this then any currently checked out DocumentBuilder will not be effected but newly checked out ones will.

To validate XML after it has been parsed into a DOM representation:

  • Get the appropriate schema from the SAMLSchemaBuilder
  • Create a new javax.xml.validation.Validator through the newValidator() method on the Schema
  • Create a new javax.xml.transform.dom.DOMSource with your DOM
  • Invoke the Validator#validate(DOMSource)

It should be noted that many products out there seem to produce invalid XML and so the usage of XML Schema validation is not recommended.

...

The most common way to perform validator based validation is to use a ValidatorSuite (see the configuration file section to learn how to configure these). These suites can be used on a single SAMLObject, a tree of SAMLObjects, or multiple trees of SAMLObjects (i.e. they are stateless and traverse the , here's how:

  1. Retrieve the Validator suite using org.opensaml.xml.Configuration#getValidatorSuite(String) passing in the ID of the suite you wish to use
  2. Execute the validate(XMLObject) giving it the SAMLObject you wish to validate

...

  • saml1-schema-validator - validates SAMLObjects against the SAML 1.0/1.1 schema
  • saml1-spec-validator - validates SAMLObjects against the SAML 1.0/1.1 specification
  • saml2-core-schema-validator - validates SAMLObjects against the SAML 2.0 core schema
  • saml2-core-spec-validator - validates SAMLObjects against the SAML 2.0 core specification
  • saml2-metadata-schema-validator - validates SAMLObjects against the SAML 2.0 metadata schema
  • saml2-metadata-spec-validator - validates SAMLObjects against the SAML 2.0 metadata specification

...