OpenSAML user discussion

["Scott Cantor" <>]

> I have an incoming soap header with a signed identity assertion and was 
> wondering if I can leaverage OpenSAML 1.1b to validate the signing for 
> me.

The scope of OpenSAML 1.1 is handling signed SAML objects. What you're
talking about is WS-Security, and it wasn't in scope.

It's not in scope for 2.0 either, but the underlying libraries should be
more extendable to assist with such cases. But WS-Security isn't that
simple. If things like WSS4J don't meet your needs, that's a tough thing to
just one-off.

> I could do the XMLSig by hand using the underlying Apache lib.... but 
> I'd only be duplicating the logic already inside that sign() method on 
> SAMLSignedObject - which makes me think I've got the wrong idea about 
> how I should be going about this.

I think you'd be shocked at how little the code inside SAMLSignedObject has
anything to do with it. WS-Security is much more complex, not tightly
constrained like SAML signatures are. There's really not much there to
reuse.

> Any ideas? BTW... really great library. I've used it at another clients 
> site and it's saved us a ton of time.

I'm happy it helped.

If you're doing Java, I guess you should try WSS4J. I think we'd be
interested in the ease with which you manage to accomplish that.

-- Scott