OpenSAML user discussion

["Mike Ferraro" <>]

> > Does anyone know of any sample code and/or documentation available for
the
> > OpenSAML libraries?  I've been figuring out answers to my questions
> > bit-by-bit, but it is extremely time consuming to browse through the
> > Shibboleth code and OpenSAML test code looking for answers to particular
> > questions when you're not intimately familiar with the classes.
>
> Sorry, just haven't had any time for it. I guess OpenSSL is slowly making
me
> immune to the lack of either one. I've read about 50% of the SSL and
> certificate implementation in the last year or so. It sucks, no doubt.

No doubt.  No envy here.

>
> > One of my general questions has to do with the signature.  When
performing
> > a verify() on a SAMLObject, does the verify() method perform all of the
> > specified canonicalization and transforms or does that have to be done
> > manually somehow?
>
> It does everything except determine if the signer can be trusted. If the
> call succeeds, the integrity of the message is intact.
>

Fantastic.  That's what I was looking for.  I just got finished reading
through the XML-Sec info.  From the look of it, everything is basically
taken care of through the XML-Sec library.  Is that right?

> > Also, I'm curious about the reason behind the decision to use exceptions
> > to handle response status instead of using the SAMLObject model
> > and having a SAMLStatus class?
>
> Personal decision that might be worth revisiting for 2.0 along with the
> entire exception/status code relationship. Fundamentally, both Java and
C++
> essentially don't function without exceptions, so there was no obvious
> reason not to adhere to that instead of inventing more error handling
> metaphors.

Ok.  I understand the idea behind leveraging the existing error handling,
but from the look of the SAMLException it doesn't seem to handle the SAML
Status message structure as described in the documentation.  Please, correct
me if I'm wrong, but I believe that I can have a valid Status element like
this:

<Status>
  <StatusCode Value="Requestor">
    <StatusCode Value="RequestDenied">
      <StatusCode Value="hursns:UnregisteredClient"/>
    </StatusCode>
  </StatusCode>
  <StatusMessage>There was an problem processing the
request.</StatusMessage>
  <StatusDetail>Access to the requested attributes has been
denied.</StatusDetail>
</Status>

From the API, it doesn't look like a SAMLException can account for a
heirarchical status response like this.  The SAMLException seems to have a
"single-level" approach to status codes where they are all stored in a
Collection.  Unless...are child-StatusCode elements translated into embedded
exceptions within the SAMLException class?  But then I also don't see
functionality for maintaining the StatusDetail element, only the
StatusMessage?

-Mike