I am trying to write a cross platform validator for a SAML Assertion against the SAML spec. I need a multiplatform XML validator that can take parameters to be used to compare to attributes in the XML. For example send in senderID to validate that sender id is "identProvider"
Does anyone know of a XML validation framework that can do this?
To my knowledge (based on building something similar), there really isn't such a thing. You could always hack around the various SAML toolkits if you wanted to - there are a number of them out there.
My personal tool is a bash script that utilizes a number of things - base64, the oh so handy xmlsectool, a dash of openssl, and, of course, xmllint. It's hacky (I'm not a Java dev), ugly (function over form), and a bull in a china shop (I find issues in it all the time!)... So it certainly isn't something ready for the bright lights of the public view. It's nice though, because it can take a base64 encoded request or response and validate the basics (certificates, signatures, encryption), as well as spit out the unencoded request or response. The rest (like what you're seeking to do), I generally do by hand, as I support our product, and commonly don't have the actual connection definitions in front of me.
The "right" way to do it is for vendors (like the one I work for) to include something in the product that would allow you to paste in a response or request, and have it validate against the connections configured in the product, and tell you what exactly is wrong. We're working on such a beast (no ETA yet, but I think it's about 70% done), because it reduce the amount of support calls we take, probably by almost 25%. Of course, if a product isn't compliant with spec... It all goes out the window.
