OpenSAML user discussion

["Scott Cantor" <>]

> I have always though that openSAML was totally independent of a soap  
> library, interfacing the soap library with a DOM object, XML stream  
> or string. But today I was told that openSAML contains a SOAP  
> implementation.

It contains a minimal implementation of the SAML SOAP binding, and includes
some hooks for pre/post-processing of the SOAP envelope and the HTTP
connection, which could be used to add or examine headers. I wouldn't call
that a SOAP library, but it's a poor-man's substitute for that, given that I
heard nothing consistently positive about any SOAP libraries from anybody
that uses them. Axis being at the head of that list, people seem to love it
or hate it, and the haters seem to outnumber the lovers.

As Walter said, it was a matter of need, and I didn't need anything more
than I wrote.

> Diving into the source I found something that looks like a simple  
> SOAP implementation. What are the quality of this implementation -  
> production ready?

For the SAML binding, it is certainly production ready, mostly because I
don't know what that actually means. It works for SAML. What else are you
after?

> To be used with HTTP servlets?

It requires HTTP servlets, yes. At least on the server-side. It does not do
any server HTTP processing at all, it has to run inside a servlet container.

> Can it be used with Apache?

I don't know what you mean by that. When I see Apache, I think the web
server, but I'm not sure you mean that. It only depends on the servlet API,
that's all.

> Does it scale to tenths and hundreds of simultanous  
> transactions?

It's not doing anything in the way of real work, since SAML tunnels all the
real data inside of SOAP, so yeah, it scales fine.

>  Is it used in Shibboleth?

Yes.

>Does it work with SSL two-way cert auth?

It comes with a minimal version that is only a toy. Doing real work with TLS
requires dynamic evaluation of credentials, not static trust lists, so you
have to use the HTTPHook functionality in OpenSAML to get real work done on
the client side, as Shibboleth does. On the server side, it's mostly left
out of scope, since Java exposes the certificate chain.

> Would you reccomend using this built-in SOAP thing or  
> accompany openSAML with axis or JAX-WS? Would you prefer JAX-WS or  
> axis together with openSAML.

I think if you don't need anything *more* than the basic SAML binding, you
should probably use the built-in code or even enhance it if you like. If you
need a real SOAP stack, and plan to use lots of headers or maybe other weird
features, then maybe not. It just depends. I think Axis seems like a bit of
an overblown solution to the simple problem of how to dispatch SOAP calls.
My personal feeling is that each SOAP endpoint should be URL-addressable,
and so I don't personally think that feature matters much.

> Looking into the java-opensaml2 module of opensaml 2.0 I could not  
> find much SOAP stuff. Is it left out, or does it exist in the XML  
> tool module or in shib?

Chad addressed that, but I'm inclined to believe I'll port over the existing
code, simply because it works well. Putting it another way, I certainly plan
to reuse the C++ code.

We're mainly hoping that the new marshalling code can deal better with all
the DOM nastiness that composing libraries together usually results in.

-- Scott