OpenSAML user discussion

["Scott Cantor" <>]

> We will primarily be using the Browser/Artifact Profile (not sure if
> support for destination-Sit-first or Source-Site-First or both is
> required currently).

There is no destination-site-first profile in SAML 1.1.

> There are a couple of questions I have on how well openSAML 
> could comlement us.

First of all, the next version of Shibboleth will support the Artifact
profile, so please consider whether it's worth your time to go off an
implement the same thing rather than contributing to that effort if
something about the current code doesn't satisfy you.

Secondly, OpenSAML is not the complete profile. It's a toolkit. Implementing
trust and security checking, proper configuration, integration with
applications, all of that is out of scope.

> 1/ Would openSAML work with any SOAP implementation (eg. - GLUE)

No. I do the SOAP binding by hand. There are hooks in cvs now for dealing
with SOAP headers if you need to extend the capability of the binding. You
don't need to use a SOAP implementation with it on either the SAML client or
server end. The server end does have to be Java servlet-based at the moment.

> 2/ Does openSAML cover the entire assertion and protocol schema?

Yes, with a few less-well-covered spots in places where arbitrary XML is
allowed, such as SubjectConfirmation and StatusDetail.

> If we take a deviation by using java-xml binding, how far could openSAML
be re-used.

Probably not much at all.

>     Are there any preferences/issues for openSAML not using java binding

I don't like generated code/APIs, I don't like tools that claim to support
XML Schema but break on the really hard stuff, I don't like the
extensibility model for dealing with schema extensions, and I want API
portability with C++, so Java specific code doesn't interest me.

> 3/ The test suite doesn't seem to have a test class for the
> Browser/Artifact profile. Maybe i'm missing something here.

The cvs version is a complete rewrite of 1.0.1 and has support for artifact
handling now. What you're looking at would be a bad starting point. It
doesn't have a unit test for that specifically, but that's mainly because
artifact requires two entities running in real time, or a lot of mock
objects, so testing it is harder. There's not really that much code in the
profile, and both POST and artifact are handled in one unified way, so
testing one is a lot like testing the other from an SP standpoint.

> 4/ Do you have a starters kit. That would be helpful.

It would be, but this isn't a commercial or well-resourced (with bodies)
effort. I have what I have. If you want a more complete code base, you
should look at Shibboleth.

-- Scott