OpenSAML user discussion

["Scott Cantor" <>]

> I wanted to check if I misunderstood part of thread on this 
> list, it sounded like one should not use OpenSAML to sign 
> Response objects if one is using SAML 1.0.  Rather, it sounds 
> like OpenSAML should be set to use SAML 1.1 if one is 
> creating and signing Responses.  So I wanted to check, if that right?

Signing is not well-defined in SAML 1.0, and I don't promise anything
approaching reasonable or correct behavior. In general SAML 1.0 is dead and
should never be used unless you have no choice. Other than the unfortunate
choice made by the federal govt's e-authn initiative due to the time they
started looking at this, I don't know of any 1.0 uses.

> One more clarifying question, is it safe to say that even if 
> OpenSAML should only use SAML 1.1 to *sign* Responses, it 
> nevertheless is fine for consuming and *verifying* SAML 1.0 Responses?

No, absolutely not. The spec is not defined in a way that makes it usable.
There's no way I could verify a SAML 1.0 signature, so there is basically no
such thing.

-- Scott