OpenSAML user discussion

[Chad La Joie <>]

Xavier Drudis Ferran wrote:
> So Ok, I understand opensaml is meant to deal with compliant SAML
> assertions, not with this. I'm just commenting this because I don't
> know whether opensaml should detect this and fail validation. Or fail
> marshalling or something. I suspect the assertion has been generated
> (ab)using opensaml for java.

Scott and I had a number of discussion about whether to validate 
messages or not and finally sided with the "Be conservative in what you 
produce; be liberal in what you accept." maxim.  So OpenSAML will at the 
very least parse the message unless the XML is malformed or there are 
really screwed up data types (e.g. the element/attribute is supposed to 
be an int the XML has a  value of "foo").

Now, you can do validation if you want.  You can get the SAML schema 
from org.opensaml.common.xml.SAMLSchemaBuilder and then validate with 
that.  At which point you'll learn that hardly any (probably none) 
products out there actually produces totally valid SAML.

> I don't know how easy it is to check issuer syntax, because the
> content syntax depends on the format attribute. It's best for me that
> it does not fail validation, so I'm fine with what it does now, but
> for opensaml in general, I don't know.

Well, the syntax is fairly easy to check as it's just a URI.  You could 
run it through the java.net.URI class and it'll throw an exception if 
it's not valid.  Whether the content actually *means* anything once you 
check that its syntax is valid is another question.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch