OpenSAML user discussion

[Scott Cantor <>]

> I am not part of this list, but I am searching for documentation a maybe
> some sample code about how to use OpenSAML in order to manipulate SAML
> assertions within SOAP messages retrieved by a handler that runs inside
> Apache Axis.

Well, the SOAP stuff buried inside OpenSAML is orthogonal (at best) to what
you're talking about, so basically, you're not going to use the
SAMLSOAPBinding stuff or even be dealing with Request and Response protocol
stuff.

You'd need to basically wire in calls to the SAMLAssertion constructors into
those handlers so get assertion objects built from the data in the SOAP
header, I guess. I know nothing about Axis, so I'm speaking abstractly.

There are some standard ways of getting an assertion built:

- a DOM element at the root (the <saml:Assertion>)
- a Java input stream
- a string/byte array/etc

So the key is to hook into one of those.

The fun bit will be seeing if a signed assertion can be sucked in that way
and then seeing if the signature verifies.

One thing to keep in mind is that if you construct a SAML object using a
stream/string, OpenSAML parses and validates the XML. If you hand it the
DOM, it doesn't (since the DOM is parsed by you), but it *assumes* the XML
is valid, and if it's not, I guarantee you it will crash somewhere if the
input is bad.

-- Scott