OpenSAML user discussion

["Markus Lorch" <>]

Scott and others,

I am currently upgrading from openSAML 0.8 to openSAML 1.0.1 
and had to change a couple of things due to changed interfaces
etc.

One issue that came up is with the change to SAMLSubject wrt the
use of SAMLNameIdentifier. I changed the code to use the
SAMLNameIdentifier class but now a an equals operation on
two SAMLSubjects failed (verification if the subject
in an authorization decision stmt equals the subject 
provided in the query). On the server side the subject
is extracted from the request as a SAMLSubject and this
object is used when constructing the response without modification.
On the client the equal comparison between the two failed.

I noted a slight difference in the XML encoding of the <Subject>
tag between request and response (the request had a namespace
associated, the response didn't) so I changed the 
verification code to compare based on the NameIdentifiers by 
doing:

subject.getName().equals(stmt.getSubject().getName()) 

but this failes as well.

So the next step was to look at three values of the SAMLNameIdentifier
(Name, Qualifier, Format) by printing them to screen. I found
that in the request the qualifier was set to "null" where as it
was an empty string in the received response. (is this a bug
in the parser?) I thought that this may have made the equals 
method fail. I thus created the subject for the request
with an empty string "" as the qualifier. Now the name, qualifier, format
strings of the sent out request subject and the received response subject
look exactly the same on the screen but the equals method still fails.  

So now I compared the name, qualifier and format value individually
via a couple of if statements and .... they are equal, however the
equals method on the whole SAMLNAmeIdentifier object still fails.

Should a specialized equals method be provided by the object to 
deal with this case.

In any case is there a set of rules on how a subject has to be
matched to be considered equal? (i.e. i may have the same subject
that in the AuthorizationDecisionQuery provides only the name and format,
while in an embedded evidence element provides elaborate confirmation data
- I am arguing that the subjects, even though their confirmation data
differs,
are the same entity.

Any thoughts

Markus