OpenSAML user discussion

["Scott Cantor" <>]

> Does anyone know of any sample code and/or documentation available for the
> OpenSAML libraries?  I've been figuring out answers to my questions
> bit-by-bit, but it is extremely time consuming to browse through the
> Shibboleth code and OpenSAML test code looking for answers to particular
> questions when you're not intimately familiar with the classes.

Sorry, just haven't had any time for it. I guess OpenSSL is slowly making me
immune to the lack of either one. I've read about 50% of the SSL and
certificate implementation in the last year or so. It sucks, no doubt.

> One of my general questions has to do with the signature.  When performing
> a verify() on a SAMLObject, does the verify() method perform all of the
> specified canonicalization and transforms or does that have to be done
> manually somehow?

It does everything except determine if the signer can be trusted. If the
call succeeds, the integrity of the message is intact.

> Also, I'm curious about the reason behind the decision to use exceptions
> to handle response status instead of using the SAMLObject model 
> and having a SAMLStatus class?

Personal decision that might be worth revisiting for 2.0 along with the
entire exception/status code relationship. Fundamentally, both Java and C++
essentially don't function without exceptions, so there was no obvious
reason not to adhere to that instead of inventing more error handling
metaphors.

-- Scott