Friday, October 08, 2004

SOAP

SOAP is an XML technology for sending and receiving messages across the Internet. More often than not, SAML assertions are bound to SOAP messages, so a basic understanding of SOAP is essential for federated identity management.

SOAP is not necessarily bound to HTTP, but HTTP is the only substrate we consider here. In other words, for the purposes of this discussion, SOAP runs on top of HTTP, and SAML is wrapped inside of SOAP. We often use the phrase "SAML over SOAP over HTTP" when discussing these related technologies.

Originally, SOAP was an acronym for "Simple Object Access Protocol", but this turned out to be a misnomer since SOAP has nothing to do with "object access" in the object-oriented programming sense of the phrase. So today we no longer think of "SOAP" as an acronym although the capitalization persists.

SOAP 1.1 is based on a note sent to the W3C (from Microsoft, IBM and others) in May 2002. This note did not become a formal W3C recommendation but SOAP 1.1 remains a de facto SOAP standard nonetheless. For example, all versions of SAML rely on SOAP 1.1.

Subsequently, the W3C began work on SOAP 1.2, which culminated in a comprehensive set of recommendations published in June 2003. See the W3C page XML Protocol Working Group for links to these documents and other SOAP-related activity. The document SOAP Version 1.2 Part 0: Primer is particularly useful for a basic understanding of SOAP messaging.

A SOAP message consists of a so-called SOAP envelope inside an HTTP wrapper. Like HTTP, a soap envelope consists of two parts, a header and a body. Of these, only the SOAP body is required. As we will see, all parts of a SOAP message are XML-encoded (although SOAP 1.2 permits MIME attachments to SOAP messages, much like SMTP).

A SOAP 1.1 message inside an HTTP POST request might look like this:

POST /trscavo/servlet/HttpEchoServlet HTTP/1.1
Host: voyager.cs.bgsu.edu:8080
Content-Type: text/xml; charset="utf-8"
Content-Length: nnnn
SOAPAction:

<?xml version="1.0">
<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header>...</SOAP-ENV:Header>
  <SOAP-ENV:Body>...</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Note that in SOAP 1.1, messages are bound to POST requests only. Also, since the SOAPAction header has been removed in SOAP 1.2, we will not discuss it further.

A similar SOAP 1.1 message wrapped inside an HTTP response would be:

HTTP/1.1 200 OK
Content-Type: text/xml; charset="utf-8"
Content-Length: nnnn

<?xml version="1.0">
<SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header>...</SOAP-ENV:Header>
  <SOAP-ENV:Body>...</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Some changes to the SOAP message structure were made in version 1.2. First of all, SOAP 1.2 messages may be bound to either GET or POST requests. An example of the latter is the following:

POST /trscavo/servlet/HttpEchoServlet HTTP/1.1
Host: voyager.cs.bgsu.edu:8080
Content-Type: application/soap+xml; charset="utf-8"
Content-Length: nnnn

<?xml version="1.0">
<env:Envelope 
  xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <env:Header>...</env:Header>
  <env:Body>...</env:Body>
</env:Envelope>

Observe the differences between SOAP 1.1 and 1.2 (when bound to HTTP POST requests):

  • The SOAPAction header has been removed, which is generally true in SOAP 1.2.
  • A new content type called application/soap+xml has been declared, a content type specifically defined for use with SOAP 1.2.
  • An XML declaration has been added to the request body.
  • The SOAP namespace URI has changed.

A SOAP 1.2 message bound to an HTTP response is formulated much like before:

HTTP/1.1 200 OK
Content-Type: application/soap+xml; charset="utf-8"
Content-Length: nnnn

<?xml version="1.0">
<env:Envelope 
  xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <env:Header>...</env:Header>
  <env:Body>...</env:Body>
</env:Envelope>

The primary differences are the content type and namespace URI as mentioned above.

A popular open source SOAP processor is called Axis from the Apache project. The current production release of Axis (v1.1) fully supports SOAP 1.1 and partially implements SOAP 1.2. Version 1.2 of Axis, which is at "release candidate" stage at the time of this writing, is said to be fully compatible with SOAP 1.2.

SOAP can be used for synchronous or asynchronous messaging. Synchronous messaging, where the sender blocks until a reply is received, is simplest. Fortunately, SAML SOAP bindings are synchronous, which we consider in detail in the next thread.