OpenSAML user discussion

[Chad La Joie <>]

Ah, yes, you're right.  I read a '.' as ':' when I was looking at the spec.

I suspect that isn't the problem here, however.  And yeah, OpenSAML, at 
least the Java version, isn't going to catch that unless you do schema 
validation.

Scott Cantor wrote:
> > It's valid.  An ID just has to be a string (with a few character
> > limits), not a URI or anything.  So that's valid.  This error is almost
> > certainly screwing up the XML before the library gets it.
>
> No, I just checked, it's not legal.
>
> http://www.w3.org/TR/1999/REC-xml-names-19990114/#NT-NCName
>
> Anybody accepting that as an ID has broken code. Of course, absent schema
> processing, lots of ID code is brute forced and it might work by accident,
> even in OpenSAML.
>
> But somebody should inform the producer of that SAML that their code is
> wrong regardless.
>
> -- Scott

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch