SAML 2.0 AuthnRequest extensions and signature namespaces

We just purchased your library for SAML 2.0 and we love it! I have a question about the XML signature on an AuthnRequest.
We must, sometimes, include an Extension element in the request from our SP to the IdP. The XML signature generation methods take an “inclusiveNamespacesPrefixList” parameter. As I understand it, this relates to the XML canonicalization step. Could you describe more what this parameter does? How do you think we should do when we include an Extension element from another, or several other, namespaces? Is it something we need to worry about, especially with regards to security?

Thank you Henrik for your kind words. :slight_smile:
Generally we recommend not using extensions if at all possible as this increases complexity and reduces interoperability.

The inclusiveNamespacesPrefixList API parameter corresponds to the InclusiveNamespaces PrefixList attribute in the XML signature. The example below is for a typical SAML message with the standard XML namespace prefixes.

<Transform Algorithm=“”>
<InclusiveNamespaces xmlns=“” PrefixList=“#default samlp saml ds xs xsi”/>

The InclusiveNamespaces PrefixList identifies the XML to be included in the canonicalization process.
My understanding is that the prefix for your extension XML must be included in this list. You should list all the namespace prefixes for your extensions.

Thanks, great answer. We know it is bad practice to use extensions but the IdP we are communicating with requires it in a very special situation. We will see how the extension element looks after serialization and what prefixes we need to include.

If you run into any issues, please enable SAML trace and send the generated log as an email attachment to
Thanks Henrik.