OpenSAML user discussion

[Scott Cantor <>]

> The API gives a method send which will return the SAML responce. But how
do
> we give the target end point and the remote method of the web 
> service which will build the SAML responce back?

There is no guesswork currently about the remote method, the SAML binding is
a single request operation with a single output. That may change in 2.0.

The endpoint is currently established by the SAMLAuthorityBinding parameter.
Since that's to be deprecated in 2.0, I expect I'll have to change that.

> Also if i am 
> correct up to this point do we have a send with the same 
> method signature in the web service to handle the request?

No, I don't implement a web service. The binding class has a static method
to parse the request (receive) and then to return the response (respond) but
there's no actual web service around it. A simple servlet would typically be
used.

I do *not* advise using Axis or some kind of heavyweight SOAP stack for
this, personally, I don't think it's worth it. I do the SOAP parts anyway.
It was pure overhead that serves no purpose in the SAML protocol, but for
unfortunate non-technical reasons, it's in there.

> Can we get any sample code which demonstrate the 
> request/response protocol?

You could look at the AAServlet class in Shibboleth for an example that
implements the server half.

There's nothing too complex to do, you just write a servlet that sits on a
URL and calls receive() with the HttpRequest object and respond() with the
HttpResponse object.

-- Scott