mace-opensaml-users - RE: SAMLNameIdentifier
Subject: OpenSAML user discussion
List archive
- From: "Scott Cantor" <>
- To: "'Tom Scavo'" <>, "'OpenSAML'" <>
- Subject: RE: SAMLNameIdentifier
- Date: Thu, 14 Apr 2005 19:13:14 -0400
- Organization: The Ohio State University
> The SAML 1.1 spec requires the content of the <NameIdentifier> element
> to be encoded according to [XMLSig] when the Format attribute is set
> to X509SubjectName. Since this isn't done in OpenSAML, I presume
> implementations are required to do this step themselves. Correct?
If there's some way of actually verifying something like that, I don't know
what it would be, DNs can be anything (and when you think you've found the
rule, it's wrong). I don't use regular expressions much, so I wouldn't know
how to even begin to validate it.
> Also, speaking of SAMLNameIdentifier, I see that the three-arg
> constructor is defined to throw an exception but AFAIK this will never
> happen. Why is the constructor defined this way? Maybe it should
> validate the input arguments and actually throw an exception under
> some circumstances...
It used to (wrongly) require name, that's why it was typed with a throw.
I have no idea what I could possibly validate. Names can pretty much be
anything, and subject confirmation makes names look well-constrained.
-- Scott
- SAMLNameIdentifier, Tom Scavo, 04/14/2005
- RE: SAMLNameIdentifier, Scott Cantor, 04/14/2005
Archive powered by MHonArc 2.6.16.