Canonicalization in JRuby

[jdewind]

Nokogiri in JRuby does not appear to support canonicalization (sparklemotion/nokogiri#226) properly such that it will create a digest mismatch. It doesn't appear there will be a fix immediately either since there hasn't been any action taken for 4 months.

Unfortunately, the only work around would be to do a "soft" validation or explicitly remove the digest check in JRuby. :-(

See https://github.com/onelogin/ruby-saml/blob/master/lib/xml_security.rb#L92-L106

[stouset]

To resolve this on our side would probably involve writing our own canonicalization algorithm. The best approach here is probably to help get that issue in Nokogiri fixed.

What else would you suggest we do from our end?

[jdewind]

I would just look at this commit: atomicobject@dc44f88

It works around the issue. However, this workaround makes it so that the response cannot be verified. Assuming the SSO service is using SSL and it isn't a self signed certificate the security risk is minimal I presume?

Regardless, it isn't ideal.

[stouset]

Sorry, I've been swamped with other stuff. I'll take a look as soon as possible.

[jvshahid]

Issue sparklemotion/nokogiri#226 is fixed. Please open new issue if you found new bugs in the JRuby implementation.

Cheers,

[snackycracky]

+1 for ruby-saml v0.8.1 with jruby-1.7.11