I've been stuck for the last couple of days trying to figure out why the response which Im getting from the IdP is being rejected from the package I'm using. Im using this https://github.com/aacotroneo/laravel-saml2
This is the response that Im getting :
xml: """
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="vDJfB_2Fr9fGfh9izuYf6pSoE6q" IssueInstant="2020-11-04T08:55:23.144Z" InResp ▶
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idP</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="kle-id.i4AcYYOSNJEX0biJ1lhh" IssueInstant="2020-11-04T08:55:23.302Z" Version="2.0">
<saml:Issuer>idP</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#kle-id.i4AcYYOSNJEX0biJ1lhh">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Bm0ARLP+duLFtM0UwVkXYr+W9PRSYYuW4sv0rzQsGlI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
RlvQm/VDU13e1oFU+y/0wr//bA6blrYBQER+57/hHq+SBRPDJl8hpEXnLaiv5AAEtzVteJrlhgc+
9YbTg8478l8hmBfVZVzlIa0POypWrNA8lwzhwDRAsQtbxypY3RPwKW0SSs6kq0K0EduxecG4grcl
1lWEpTRBtdv/NqVg6w8swSQzMXXf0GKjmqeagAqm3HeA6nSNc2T02ChwQ/78OZEbZjDaKj2Rqv2Y
1zqf/xyM2QZES3IlVfA5yekoJfG81sZYn5s+RiTsqFjAMvKrBsaPbEMZoT3ZcFQLY+/b08cTxCEM
RirLXRp86rAHhqps0+y1j9eFg0HWdvTO/3Ss0w==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
DELETED FOR PRIVACY REASONS
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
DELETED
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">DELETED FOR PRIVACY REASONS</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="DELETED FOR PRIVACY REASONS" NotOnOrAfter="2020-11-04T09:00:23.305Z" InResponseTo="ONELOGIN_6134c96d0e247a491cc1a83286b4226c2d30004a"
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-11-04T08:50:23.305Z" NotOnOrAfter="2020-11-04T09:00:23.305Z">
<saml:AudienceRestriction>
<saml:Audience>DELETED FOR PRIVACY REASONS</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex="kle-id.i4AcYYOSNJEX0biJ1lhh" AuthnInstant="2020-11-04T08:36:22.912Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
"""
Im not sure whats going on, but I kept tracing the validation and It seems to me that It rejects this response after checking for NotBefore attribute on line 359 at OneLogin\Saml2\Response.php
Can someone please help me to figure out what the hell is going on with it?
The idp is from PingFederate
From looking at the NotBefore and NotOnOrAfter timestamps in the Response, Ping is set to a 5min clock skew which is normal/default.
Without more specific error messages, it sounds like there is a clock drift issue between the IDP Server (PF) and your SP Application if your SP is complaining about the NotBefore. Ensure both servers have not only the proper time but also the proper timezone in the OS settings. You might need to restart PF to get it to pick-up any changes to the system time if you make any.
Related
My goal is to update the subject of an Emailmessage using makeewsrequestasync.
At first I issue a GetItem request to get the latest ChangeKey of the message i want to update. This request works fine and i succesfully get the item ChangeKey.
After that I send another request to finally update my Email subject. However, i always get an internal server error with error code 500. Below is the request i send in the data object of the makeewsrequestasync method.
<?xml version='1.0' encoding='utf-8'?><soap:Envelope xmlns:soap = 'https://schemas.xmlsoap.org/soap/envelope/'> xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'> <soap:Header> <t:RequestServerVersion Version='Exchange2013'/> </soap:Header> <soap:Body> <UpdateItem MessageDisposition='SaveOnly' ConflictResolution='AutoResolve' xmlns='http://schemas.microsoft.com/exchange/services/2006/messages'> <ItemChanges> <t:ItemChange> <t:ItemId Id='AAMkAGNkZWM1OTUzLTVhMzAtNDQyZS1hYzNmLTFhNDQ5ODc4NTYwMABGAAAAAABB8zSmRPuuRoRPHF1NS2srBwA9GscujNfkQL9s6uP7T+MpAAAAAAEMAADOgKz/bqQyTqxlZnzyc9ndAAH8Uu4tAAA=' ChangeKey='CQAAABYAAADOgKz/bqQyTqxlZnzyc9ndAAILRklX'/> <t:Updates> <t:SetItemField> <t:FieldURI FieldURI='item:Subject'/> <t:Message> <t:Subject>[Venga] MyAnalytics | Network Edition</t:Subject> </t:Message> </t:SetItemField > </t:Updates> </t:ItemChange> </ItemChanges> </UpdateItem> </soap:Body></soap:Envelope>
I already tried several ways to Update my subject, but unfortunetaly without success.
There is a similar question which i used to build my request
(similar Question), but I always end up in the Internal Server Error. I would love to get an advice, how to resolve this issue.
There are multiple issues with your XML request (it's not even valid XML)
<soap:Envelope xmlns:soap = 'https://schemas.xmlsoap.org/soap/envelope/'>
The namespace schema is wrong you have modified the correct schema to https note this has nothing to do with using http or https is just the schema definition and by changing it you have made it invalid. You have also added an extra > at the end which closes the tag but you have extra namespace attributes that should be included in the namespace which just become invalid text at that point in your request eg it should be
<?xml version='1.0' encoding='utf-8'?><soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'>
You also have extra whitespace in the closing SetItemField tag. This appears to be valid now
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope
xmlns:soap = 'http://schemas.xmlsoap.org/soap/envelope/'
xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'>
<soap:Header>
<t:RequestServerVersion Version='Exchange2013'/>
</soap:Header>
<soap:Body>
<UpdateItem MessageDisposition='SaveOnly' ConflictResolution='AutoResolve'
xmlns='http://schemas.microsoft.com/exchange/services/2006/messages'>
<ItemChanges>
<t:ItemChange>
<t:ItemId Id='AAMkAGNkZWM1OTUzLTVhMzAtNDQyZS1hYzNmLTFhNDQ5ODc4NTYwMABGAAAAAABB8zSmRPuuRoRPHF1NS2srBwA9GscujNfkQL9s6uP7T+MpAAAAAAEMAADOgKz/bqQyTqxlZnzyc9ndAAH8Uu4tAAA=' ChangeKey='CQAAABYAAADOgKz/bqQyTqxlZnzyc9ndAAILRklX'/>
<t:Updates>
<t:SetItemField>
<t:FieldURI FieldURI='item:Subject'/>
<t:Message>
<t:Subject>[Venga] MyAnalytics | Network Edition</t:Subject>
</t:Message>
</t:SetItemField>
</t:Updates>
</t:ItemChange>
</ItemChanges>
</UpdateItem>
</soap:Body>
</soap:Envelope>
I have several user accounts in Office 365 tenant. Two of them are almost identical (have similar settings but different contact info and name).
I try to fetch information (such as all folders and items) in user's mailbox using GetFolder operation from EWS API that contains next body:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013"/>
<t:ExchangeImpersonation>
<t:ConnectingSID>
<t:PrimarySmtpAddress>Name.Surname#mydomain.onmicrosoft.com</t:PrimarySmtpAddress>
</t:ConnectingSID>
</t:ExchangeImpersonation>
</soap:Header>
<soap:Body>
<GetFolder xmlns="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<FolderShape>
<t:BaseShape>AllProperties</t:BaseShape>
<t:AdditionalProperties> </t:AdditionalProperties>
</FolderShape>
<FolderIds>
<t:DistinguishedFolderId Id="outbox"/>
</FolderIds>
</GetFolder>
</soap:Body>
</soap:Envelope>
I can successfully get info for one of these two mailboxes but when an error reply with the next body:
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<s:Fault>
<faultcode xmlns:a="http://schemas.microsoft.com/exchange/services/2006/types">a:ErrorNonPrimarySmtpAddress</faultcode>
<faultstring xml:lang="en-US">The primary SMTP address must be specified when referencing a mailbox.</faultstring>
<detail>
<e:ResponseCode xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">ErrorNonPrimarySmtpAddress</e:ResponseCode>
<e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">The primary SMTP address must be specified when referencing a mailbox.</e:Message>
<t:MessageXml xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<t:Value Name="Primary"/>
</t:MessageXml>
</detail>
</s:Fault>
</s:Body>
</s:Envelope>
Why do I get such ErrorNonPrimarySmtpAddress error response? What can be the problem when I fetch data in the mailbox of the second user?
You need to use the primary SMTP address - I doubt Name.Surname#mydomain.onmicrosoft.com is the primary address.
Open the address book in Outlook (Ctrl+Shift+B), open the user, switch to the "E-mail Addresses" tab, look for the address with the "SMTP:" prefix (note the caps).
I am new to Exchange server. I would like to create meeting via EWS. My goal is to book meeting on a room and later pull all the meetings for a specific room. Just knowing the room identifier.
Is it possible to impersonate room in meeting creation or it is just enough to add room as a participant.
A room shouldn't be the organizer of a Meeting so there should be no need to try to impersonate it (by default room accounts are disabled so you can't impersonate a disabled account). The only person you should impersonate is the Organizer of the appointment add the Room as a resource of the Meeting your creating and then send the request to the meeting room mailbox and let Auto-accept handle the rest.
Cheers
Glen
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="
http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://sc
hemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xml
soap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013_SP1" />
<t:TimeZoneContext>
<t:TimeZoneDefinition Name="(UTC+10:00) Canberra, Melbourne, Sydney" Id="AUS Eastern Standard Time">
<t:Periods>
<t:Period Bias="-P0DT11H0M0.0S" Name="Daylight" Id="Dlt/1" />
<t:Period Bias="-P0DT10H0M0.0S" Name="Standard" Id="Std/1" />
<t:Period Bias="-P0DT11H0M0.0S" Name="Daylight" Id="Dlt/2008" />
<t:Period Bias="-P0DT10H0M0.0S" Name="Standard" Id="Std/2008" />
</t:Periods>
<t:TransitionsGroups>
<t:TransitionsGroup Id="0">
<t:RecurringDayTransition>
<t:To Kind="Period">Dlt/1</t:To>
<t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
<t:Month>10</t:Month>
<t:DayOfWeek>Sunday</t:DayOfWeek>
<t:Occurrence>-1</t:Occurrence>
</t:RecurringDayTransition>
<t:RecurringDayTransition>
<t:To Kind="Period">Std/1</t:To>
<t:TimeOffset>P0DT3H0M0.0S</t:TimeOffset>
<t:Month>3</t:Month>
<t:DayOfWeek>Sunday</t:DayOfWeek>
<t:Occurrence>-1</t:Occurrence>
</t:RecurringDayTransition>
</t:TransitionsGroup>
<t:TransitionsGroup Id="1">
<t:RecurringDayTransition>
<t:To Kind="Period">Dlt/2008</t:To>
<t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
<t:Month>10</t:Month>
<t:DayOfWeek>Sunday</t:DayOfWeek>
<t:Occurrence>1</t:Occurrence>
</t:RecurringDayTransition>
<t:RecurringDayTransition>
<t:To Kind="Period">Std/2008</t:To>
<t:TimeOffset>P0DT3H0M0.0S</t:TimeOffset>
<t:Month>4</t:Month>
<t:DayOfWeek>Sunday</t:DayOfWeek>
<t:Occurrence>1</t:Occurrence>
</t:RecurringDayTransition>
</t:TransitionsGroup>
</t:TransitionsGroups>
<t:Transitions>
<t:Transition>
<t:To Kind="Group">0</t:To>
</t:Transition>
<t:AbsoluteDateTransition>
<t:To Kind="Group">1</t:To>
<t:DateTime>2007-12-31T13:00:00.000Z</t:DateTime>
</t:AbsoluteDateTransition>
</t:Transitions>
</t:TimeZoneDefinition>
</t:TimeZoneContext>
</soap:Header>
<soap:Body>
<m:CreateItem SendMeetingInvitations="SendToAllAndSaveCopy">
<m:Items>
<t:CalendarItem>
<t:Subject>Meeting</t:Subject>
<t:Start>2016-03-01T12:33:17.185+11:00</t:Start>
<t:End>2016-03-01T13:33:17.185+11:00</t:End>
<t:RequiredAttendees>
<t:Attendee>
<t:Mailbox>
<t:EmailAddress>attendee#mailbox.com</t:EmailAddress>
</t:Mailbox>
</t:Attendee>
</t:RequiredAttendees>
<t:Resources>
<t:Attendee>
<t:Mailbox>
<t:EmailAddress>room#mailbox.com</t:EmailAddress>
</t:Mailbox>
</t:Attendee>
</t:Resources>
</t:CalendarItem>
</m:Items>
</m:CreateItem>
</soap:Body>
</soap:Envelope>
I'm using a FindItem call to get items (appointments) from Exchange Web Services (EWS). The properties which are fetched are the item Id and the EffectiveRights. The EffectiveRights property often does not contain the correct values. Sometimes, however, the values are correct (using the same code), but I don't know what causes this.
The Calendar folder I'm searching in is delegated with Author rights to the service user I authenticate with and it contains appointments of which this service user is the author of.
I'm using the ews-java-api library and the response traces show that this isn't a parsing bug.
The code used to retrieve the items:
ItemView view = new ItemView(100);
PropertySet propertySet = new PropertySet();
propertySet.add(ItemSchema.Id);
propertySet.add(ItemSchema.EffectiveRights);
view.setPropertySet(propertySet);
FolderId folderId = new FolderId(WellKnownFolderName.Calendar, Mailbox.getMailboxFromString(targetSmtpAddress));
FindItemsResults<Item> items = service.findItems(folderId, filter, view);
Item firstItem = items.getItems().get(0);
firstItem.getEffectiveRights(); // Returns NONE, READ. This is incorrect.
Item bindItem = Item.bind(service, firstItem.getId()); //
bindItem.getEffectiveRights(); // Returns NONE, READ, MODIFY, DELETE. This is correct.
The request trace:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<soap:Header>
<t:RequestServerVersion Version="Exchange2010_SP2"></t:RequestServerVersion>
</soap:Header>
<soap:Body>
<m:FindItem Traversal="Shallow">
<m:ItemShape>
<t:BaseShape>IdOnly</t:BaseShape>
<t:AdditionalProperties>
<t:FieldURI FieldURI="item:ItemId"></t:FieldURI>
<t:FieldURI FieldURI="item:EffectiveRights"></t:FieldURI>
</t:AdditionalProperties>
</m:ItemShape>
<m:IndexedPageItemView MaxEntriesReturned="1000" Offset="0" BasePoint="Beginning"></m:IndexedPageItemView>
<m:Restriction>
<t:And>
<t:IsEqualTo>
<t:ExtendedFieldURI PropertySetId="039b4d91-2f03-44da-887c-aad704243ba8" PropertyName="SyncId" PropertyType="String"></t:ExtendedFieldURI>
<t:FieldURIOrConstant>
<t:Constant Value="syncID:330"></t:Constant>
</t:FieldURIOrConstant>
</t:IsEqualTo>
<t:IsGreaterThanOrEqualTo>
<t:FieldURI FieldURI="calendar:Start"></t:FieldURI>
<t:FieldURIOrConstant>
<t:Constant Value="2015-01-28T13:53:38Z"></t:Constant>
</t:FieldURIOrConstant>
</t:IsGreaterThanOrEqualTo>
</t:And>
</m:Restriction>
<m:ParentFolderIds>
<t:DistinguishedFolderId Id="calendar">
<t:Mailbox>
<t:EmailAddress>TARGETUSER#SMTP.ADDRESS</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:ParentFolderIds>
</m:FindItem>
</soap:Body>
</soap:Envelope>
The trace of a 'faulty' response:
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<h:ServerVersionInfo MajorVersion="14" MinorVersion="3" MajorBuildNumber="224" MinorBuildNumber="2" Version="Exchange2010_SP2" xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"/>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<m:FindItemResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<m:ResponseMessages>
<m:FindItemResponseMessage ResponseClass="Success">
<m:ResponseCode>NoError</m:ResponseCode>
<m:RootFolder IndexedPagingOffset="1000" TotalItemsInView="1868" IncludesLastItemInRange="false">
<t:Items>
<t:CalendarItem>
<t:ItemId Id="AAMkAGVlZmVlY2JjLTcxOTItNDBkYi1hOTljLTkwZjQwZjE4MTU1NQBGAAAAAADZ8IosQv76QbxS0r8FeFzgBwB25IsPmJcKTaP6zvCUqaybAAAAoIe5AAB25IsPmJcKTaP6zvCUqaybAABcSsgnAAA=" ChangeKey="DwAAABYAAAB25IsPmJcKTaP6zvCUqaybAABcS6ER"/>
<t:EffectiveRights>
<t:CreateAssociated>false</t:CreateAssociated>
<t:CreateContents>false</t:CreateContents>
<t:CreateHierarchy>false</t:CreateHierarchy>
<t:Delete>false</t:Delete>
<t:Modify>false</t:Modify>
<t:Read>true</t:Read>
<t:ViewPrivateItems>false</t:ViewPrivateItems>
</t:EffectiveRights>
</t:CalendarItem>
<t:CalendarItem>
<t:ItemId Id="AAMkAGVlZmVlY2JjLTcxOTItNDBkYi1hOTljLTkwZjQwZjE4MTU1NQBGAAAAAADZ8IosQv76QbxS0r8FeFzgBwB25IsPmJcKTaP6zvCUqaybAAAAoIe5AAB25IsPmJcKTaP6zvCUqaybAABcSsglAAA=" ChangeKey="DwAAABYAAAB25IsPmJcKTaP6zvCUqaybAABcS6EN"/>
<t:EffectiveRights>
<t:CreateAssociated>false</t:CreateAssociated>
<t:CreateContents>false</t:CreateContents>
<t:CreateHierarchy>false</t:CreateHierarchy>
<t:Delete>false</t:Delete>
<t:Modify>false</t:Modify>
<t:Read>true</t:Read>
<t:ViewPrivateItems>false</t:ViewPrivateItems>
</t:EffectiveRights>
</t:CalendarItem>
<!-- MORE ITEMS HERE... -->
</t:Items>
</m:RootFolder>
</m:FindItemResponseMessage>
</m:ResponseMessages>
</m:FindItemResponse>
</s:Body>
</s:Envelope>
I already found this blog post which seems somewhat related, but nothing more than that.
FindItems loads values from the contents table of a folder, rather than from the items themselves. Many times, with computed properties like EffectiveRights, a simplistic approach is used to populate the table to give an approximation. It seems like that's what's happening here. The comment in your code mentions that the value is correct after you Bind to the item (which loads values from the item itself).
I am trying to Digitally Sign a node businessEntity. I am using Xpath in my tranform to refer to this node.
My Xpath expression is :
ancestor-or-self::ns1:businessEntity[
#businessKey = 'uddi:testSignedProviderlastime'
] and not(ancestor-or-self::ns1:businessService)
and not(ancestor-or-self::ds:Signature)
I want to remove the dependency for the namespace prefix ns1. Is there a way I can do that? Or is there a way I can specify the namespace URI in my expression.
I have already tried replacing the namespace prefix ns1 with a , but got an error for using "" prefix.
Any help in modifying this expression is appreciated.
Thanks,
Sonia
Following is the xml, I am applying this transform too:
<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<ns1:save_business xmlns:ns1="urn:uddi-org:api_v3">
<ns1:authInfo>something
</ns1:authInfo>
<ns1:businessEntity businessKey="uddi:testSignedProviderlastime" xmlns:ns1="urn:uddi-org:api_v3">
<ns1:name>testSignedProviderlastime</ns1:name>
<ns1:description>Not Provided</ns1:description>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:XPath xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ns1="urn:uddi-org:api_v3">ancestor-or-self::ns1:businessEntity[#businessKey='uddi:testSignedProviderlastime'] and not (ancestor-or-self::ns1:businessService) and not (ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">something</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
something
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
something
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RSAKeyValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Modulus xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
something
</ds:Modulus>
<ds:Exponent xmlns:ds="http://www.w3.org/2000/09/xmldsig#">AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</ns1:businessEntity>
</ns1:save_business>
</soapenv:Body>
I guess you want this:
ancestor-or-self::*[local-name() = 'businessEntity']
Or a more precise:
ancestor-or-self::*
[local-name() = 'businessEntity' and namespace-uri() = 'urn:uddi-org:api_v3']