OpenSAML user discussion

["Scott Cantor" <>]

> The SAML 1.1 spec requires the content of the <NameIdentifier> element
> to be encoded according to [XMLSig] when the Format attribute is set
> to X509SubjectName.  Since this isn't done in OpenSAML, I presume
> implementations are required to do this step themselves.  Correct?

If there's some way of actually verifying something like that, I don't know
what it would be, DNs can be anything (and when you think you've found the
rule, it's wrong). I don't use regular expressions much, so I wouldn't know
how to even begin to validate it.

> Also, speaking of SAMLNameIdentifier, I see that the three-arg
> constructor is defined to throw an exception but AFAIK this will never
> happen.  Why is the constructor defined this way?  Maybe it should
> validate the input arguments and actually throw an exception under
> some circumstances...

It used to (wrongly) require name, that's why it was typed with a throw.

I have no idea what I could possibly validate. Names can pretty much be
anything, and subject confirmation makes names look well-constrained.

-- Scott