mace-opensaml-users - RE: Any Authentication Authority available for testing?
Subject: OpenSAML user discussion
List archive
- From: Scott Cantor <>
- To: "'Jad S. Boutros'" <>,
- Subject: RE: Any Authentication Authority available for testing?
- Date: Sat, 18 Jan 2003 18:48:01 -0500
- Importance: Normal
- Organization: The Ohio State University
> Thank you Scott for this info. I thought of subclassing
> SAMLQuery to provide the AssertionArtifact component of the
> request. If I understand correctly, we can populate the
> RespondWith QName to ask for an authentication statement back
> from the server and that one, the OpenSAML code already
> validates properly. Is there more to it for the SOAP case?
Supporting the query end of the artifact profile would be handled by adding
the necessary constructors and functions to SAMLRequest,
rather than SAMLQuery, which doesn't appear in an artifact request.
That's not a great deal of work (artifacts are only strings at a basic
level), so I can add the necessary additions to the Java
classes while I'm working on the code right now anyway. I expect to be
checking in the new Java library source this weekend or soon
after.
The RespondWith stuff doesn't apply when using artifacts, only when doing
actual queries. Artifacts are basically specially-encoded
references or pointers to a specific assertion. It's not a query so much as a
pointer-dereference across the network. The protocol
is the standard SOAP binding that OpenSAML already supports, so that part is
done.
The "harder" aspects of supporting the artifact profile are really the
surrounding functionality of building an artifact,
maintaining state at the authority that issues one so that it can respond,
and providing APIs to facilitate that, as I have done to
some extent with the POST profile.
Frankly, I don't know how much of that is really OpenSAML's business anyway.
The POST profile benefits from some APIs to aggregate
some of the work in building the signed Response, but the artifact profile is
really more of a servlet-level activity, I suspect.
> Are these test/sample servers available for SAML developers?
> If so, it will be helpful if I can connect to them for other query types.
The only SAML authority Shibboleth uses is an attribute authority, so they
only respond to attribute queries, and then only queries
that comply with Shibboleth Subject semantics.
OTOH, they do support some dummy queries right now for testing, using a SAML
subject name of "foo", so it's not impossible to just
send them a query out of the blue.
The reliably available one is at https://wayf.internet2.edu/shibboleth/AA
-- Scott
---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
---------------------------------------------------mace-opensaml-users--
- Any Authentication Authority available for testing?, Jad S. Boutros, 01/17/2003
- RE: Any Authentication Authority available for testing?, Scott Cantor, 01/18/2003
- RE: Any Authentication Authority available for testing?, Jad S. Boutros, 01/18/2003
- RE: Any Authentication Authority available for testing?, Scott Cantor, 01/18/2003
- RE: Any Authentication Authority available for testing?, Jad S. Boutros, 01/18/2003
- RE: Any Authentication Authority available for testing?, Scott Cantor, 01/18/2003
Archive powered by MHonArc 2.6.16.