Skip to Content.
Sympa Menu

mace-opensaml-users - RE: SAML Assertion ids and interop

Subject: OpenSAML user discussion

List archive

RE: SAML Assertion ids and interop


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Ted Toth'" <>, <>
  • Subject: RE: SAML Assertion ids and interop
  • Date: Thu, 23 Jun 2005 22:48:48 -0400
  • Organization: The Ohio State University

> Bluntness is cool. However we don't live in a perfect
> world and ok the toolkits (and MS) aren't following
> the specs but what is a poor shmuck coder like me
> supposed to do when my customer wants a .Net clent to
> talk to their 'secure' Java service?

Well, my bluntness was only meant as a warning that what you're dealing with
here are two broken implementations of a spec whose ink is barely dry. So
this is not mature technology (SAML is mature by comparison), and it could
well break more often than work.

So if your customer doesn't understand that, you're in the classic mess of
managing unrealistic expectations, I suppose.

> Well I'm going to
> talk to anyone who'll listen and try and get something
> put together that works even if it is only until the
> next release when it is broken again. One thing I do
> know for certain MS ain't going to do nothin about
> this issue anytime soon and my only hope lies is in
> the open source world.

Speaking for myself, the open source world has no business making
Microsoft's attempts at undermining their own specs legitimate. But you
don't really have to accept my view on that, since:

- it's open source, so you're free to hack it however you want to
- I'm not your problem here, my code isn't the library causing your problem,
which I hope I explained to some degree in my response

My code doesn't do WSS. Your problem is whatever code is packaging up the
assertion, adding illegal attributes (and apparently doing it wrong!), and
then signing the message. Perhaps WSS4J from Apache? but I really couldn't
tell you for sure.

My point in warning you about OpenSAML was that if your code *produces*
illegal SAML such as your example (the reverse of your question, I think?),
that you stand a chance of seeing it rejected by the OpenSAML library you
suspected is running on the server. And I couldn't fix that any time soon
even if I wanted to. I currently validate everything I parse, which means if
it's not schema-legal I never see it.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page