OpenSAML user discussion

[Scott Cantor <>]

> Thank you Scott for this info. I thought of subclassing 
> SAMLQuery to provide the AssertionArtifact component of the 
> request. If I understand correctly, we can populate the 
> RespondWith QName to ask for an authentication statement back 
> from the server and that one, the OpenSAML code already 
> validates properly. Is there more to it for the SOAP case?

Supporting the query end of the artifact profile would be handled by adding 
the necessary constructors and functions to SAMLRequest,
rather than SAMLQuery, which doesn't appear in an artifact request.

That's not a great deal of work (artifacts are only strings at a basic 
level), so I can add the necessary additions to the Java
classes while I'm working on the code right now anyway. I expect to be 
checking in the new Java library source this weekend or soon
after.

The RespondWith stuff doesn't apply when using artifacts, only when doing 
actual queries. Artifacts are basically specially-encoded
references or pointers to a specific assertion. It's not a query so much as a 
pointer-dereference across the network. The protocol
is the standard SOAP binding that OpenSAML already supports, so that part is 
done.

The "harder" aspects of supporting the artifact profile are really the 
surrounding functionality of building an artifact,
maintaining state at the authority that issues one so that it can respond, 
and providing APIs to facilitate that, as I have done to
some extent with the POST profile.

Frankly, I don't know how much of that is really OpenSAML's business anyway. 
The POST profile benefits from some APIs to aggregate
some of the work in building the signed Response, but the artifact profile is 
really more of a servlet-level activity, I suspect.

> Are these test/sample servers available for SAML developers? 
> If so, it will be helpful if I can connect to them for other query types.

The only SAML authority Shibboleth uses is an attribute authority, so they 
only respond to attribute queries, and then only queries
that comply with Shibboleth Subject semantics.

OTOH, they do support some dummy queries right now for testing, using a SAML 
subject name of "foo", so it's not impossible to just
send them a query out of the blue.

The reliably available one is at https://wayf.internet2.edu/shibboleth/AA

-- Scott

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--