OpenSAML user discussion

[Bradley Beddoes <>]

Hi Scott,

Scott Cantor wrote:
> > Essentially there are several pieces of the 2.0 spec that would be very 
> > useful in the design of this project as it currently stands but I note 
> > that the code repository clearly states that it should not be used in 
> > production systems.
>
> That's a necessary caution to discourage use by people who aren't equipped
> to handle less than complete documentation, bugs, API changes, etc.
>
> It's also not really in a state for people who are complete novices to XML,
> the language environment, etc. to deal with it. We don't have time to go
> overboard helping people deal with basic things until we ship, so the
> warning helps limit use until then.

More then understand, we have similar problems with people here 
expecting production quality support for in development code bases.


> > Timelines for starting work on this project in a technical sense are 
> > within the next month to two months with completion by early 2007.
>
> You're on about the same timeline Shibboleth is, so the code has to be
> stable by then. But a lot of APIs aren't even started yet, and probably
> won't be locked down until late in the Shibboleth development cycle.
>
> We also are used to being the only large scale users. If other projects use
> the code, I expect other problems might come to light that we can address.

Would be more then happy to feed back any issues we locate with patches 
or advisories.

> > Could you please advise if the code (both Java and C++) is stable enough 
> > for usage now or if not how stability plans may fit in with my 
> > timelines. Should it prove to not be a happy fit we will have to look at 
> > using the 1.1 compliant opensaml code.
>
> I think most of what's there works, and most of it is pretty API stable. But
> virtually all higher level binding and profile work is completely TBD. We do
> have a lot of cryptographic support in core now, stuff that used to be all
> in Shibboleth. That makes the library itself more useful.

The cryptographic stuff will be very helpful on what is a tight time 
line already here.

> I tend to let build docs and other C++ niceties lag for the simple reason
> that virtually nobody else uses that code. It makes it possible for me to be
> lazy about things when I'm the only user. If somebody is actually using it,
> that tends to motivate me more. But I don't have the time until Shibboleth
> is farther along to really get the build documented properly for novices. At
> least now there are complete API docs available though, and a lot more unit
> tests.

No problems, we may even be able to contribute some of this 
documentation as we get into using the library further, for now it looks 
like the negatives associated with not going SAML 2 will out weigh the 
risks of using this library so you guys can probably expect to hear some 
more from me over the coming months. Thanks for your input thus far.

regards,
Bradley

> -- Scott