mace-opensaml-users - Interoperability tests with 9 SAML products
Subject: OpenSAML user discussion
List archive
- From: "Cortezzo, Jason" <>
- To:
- Subject: Interoperability tests with 9 SAML products
- Date: Tue, 12 Apr 2005 15:23:30 -0400
I've leveraged OpenSAML into a security system for my employer. Over the
last few weeks, I've tested the system against 9 SAML-capable commercial
products. The tests were fairly limited. They only involved my system
making a SAML request with an artifact and the other products responding
with an assertion.
The 9 products were...
Entrust GetAccess
HP Select Access
Entegrity AssureAccess
Netegrity SiteMinder
Sun Identity Server
Trustgenix Identity Bridge
RSA Federated Identity Manager
IBM Tivoli Federated Identity Manager
Oblix ShareID
Of the 9, issues arose with only 2 of the products. The Entegrity product
produced SOAP envelopes with an "encodingStyle" attribute on the <Envelope>
element. This violated the SOAP schema and caused parser errors. We
discussed this on this mailing list a few weeks ago. I ended up changing
the SOAP schema that OpenSAML uses so that the attribute was allowed. I
think this was checked into the OpenSAML CVS.
The only other issue was with the Entrust product. It, for some reason, did
not like the format of the SAML requests. It wanted to see namespace
prefixes on all of the elements. I ended up changing the code so that
instead of producing requests that look like...
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
<Body>
<Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2005-04-06T20:38:27.152Z" MajorVersion="1" MinorVersion="0"
RequestID="e44bb489f2fb5502ea06e74e33341f0e">
<AssertionArtifact>AAGHqc8C2oZ5gouSayZTCmDTp1jA1EhkQc2geTrsncy1uJla7w6BlYXn<
/AssertionArtifact>
</Request>
</Body>
</Envelope>
It produced requests that look like...
<soap-env:Envelope
xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Body>
<samlp:Request
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2005-04-11T15:30:07.958Z" MajorVersion="1" MinorVersion="0"
RequestID="fcbe3d56127c756bbf222155249347ec">
<samlp:AssertionArtifact>AAGgAotwWCB5FsPMM+kd+oEDbUhhWzIzu65tjuztekMiOo4cR/L
BCwa9</samlp:AssertionArtifact>
</samlp:Request>
</soap-env:Body>
</soap-env:Envelope>
This change seemed to make the Entrust product happy while maintaining
interoperability with all of the other products.
I may soon be repeating the testing in the opposite role - with my system
receiving the requests and sending the responses. If so, I'll share the
results.
-Jason
- Interoperability tests with 9 SAML products, Cortezzo, Jason, 04/12/2005
- RE: Interoperability tests with 9 SAML products, Scott Cantor, 04/12/2005
Archive powered by MHonArc 2.6.16.