Skip to Content.
Sympa Menu

mace-opensaml-users - non-compliant Issuer content.

Subject: OpenSAML user discussion

List archive

non-compliant Issuer content.


Chronological Thread 
  • From: Xavier Drudis Ferran <>
  • To:
  • Subject: non-compliant Issuer content.
  • Date: Tue, 12 Feb 2008 10:25:33 +0100

On Mon, Feb 11, 2008 at 03:09:08PM -0500, Scott Cantor wrote:
>
> It's irrelevant who it is, but it MUST be an entityID, period, at least for
> web SSO. Else it's non-compliant and you're in a world of pain because it's
> extremely difficult to backwards from a certificate to something else. As
> you clearly know.
>

Irrelevant?, I thought the issuer content had to be the entity issuing
the assertion (which happens to be the one authenticating the user, in
my case, if I'm not badly mistaken). Anyway, the issuer content it's
not an uri, so it can't be an entityID, AFAIK (it has unescaped
whitespace something like
<saml:Issuer> Project - Workplace Center name</saml:Issuer>
without even a format attribute).

So Ok, I understand opensaml is meant to deal with compliant SAML
assertions, not with this. I'm just commenting this because I don't
know whether opensaml should detect this and fail validation. Or fail
marshalling or something. I suspect the assertion has been generated
(ab)using opensaml for java.

I don't know how easy it is to check issuer syntax, because the
content syntax depends on the format attribute. It's best for me that
it does not fail validation, so I'm fine with what it does now, but
for opensaml in general, I don't know.

Thanks for confirming I'm in a world of pain, and it's just not me
being stupid and feeling undue pain. :(

--
Xavi Drudis Ferran




Archive powered by MHonArc 2.6.16.

Top of Page