Release : 9.2
Component : API GATEWAY
InclusiveNamespaces is the problem. When gateway tries to reconstruct message using library, it does not add namespace back in signed element, causing digest value to mismatch.
defect DE334566
Customer wanted to use XPath assertion to drop additional xml nodes from saml message before sending it for validation. But XPath Assertion dropped namespaces, so it was better to use XSLT transform for to drop additional nodes.
Provided a sample policy with XSLT
Works
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> </ds:Transform></ds:Transforms>
Fails:
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs">
</ec:InclusiveNamespaces></ds:Transform></ds:Transforms>
XPath assertion while storing DOM structure in context variable converted to string using exclusive canonicalize, which dropped namespaces from