Skip to Content.
Sympa Menu

mace-opensaml-users - RE: Clarifying: if *signing*, then don't use SAML 1.0 ?

Subject: OpenSAML user discussion

List archive

RE: Clarifying: if *signing*, then don't use SAML 1.0 ?


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>, <>
  • Subject: RE: Clarifying: if *signing*, then don't use SAML 1.0 ?
  • Date: Fri, 22 Jul 2005 23:50:21 -0400
  • Organization: The Ohio State University

> I wanted to check if I misunderstood part of thread on this
> list, it sounded like one should not use OpenSAML to sign
> Response objects if one is using SAML 1.0. Rather, it sounds
> like OpenSAML should be set to use SAML 1.1 if one is
> creating and signing Responses. So I wanted to check, if that right?

Signing is not well-defined in SAML 1.0, and I don't promise anything
approaching reasonable or correct behavior. In general SAML 1.0 is dead and
should never be used unless you have no choice. Other than the unfortunate
choice made by the federal govt's e-authn initiative due to the time they
started looking at this, I don't know of any 1.0 uses.

> One more clarifying question, is it safe to say that even if
> OpenSAML should only use SAML 1.1 to *sign* Responses, it
> nevertheless is fine for consuming and *verifying* SAML 1.0 Responses?

No, absolutely not. The spec is not defined in a way that makes it usable.
There's no way I could verify a SAML 1.0 signature, so there is basically no
such thing.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page