OpenSAML user discussion

[Xavier Drudis Ferran <>]

On Tue, Feb 12, 2008 at 10:21:04AM -0500, Scott Cantor wrote:
> For example, without metadata, you can't start SSO at the SP, because you
> don't know where to send the user. You also can't use the artifact binding,
> because you don't know where to resolve the artifact. Etc.
>

All I need is the SAML attributes I get in the assertion, hopefully. 
 
> The certificate alone doesn't give you any of that, so you have to limit
> your feature set to a fairly constrained subset. Sometimes that's what
> people want, but sometimes they don't understand enough to know what they
> want.
>

Sometimes both: even people who don't understand enough really want
that limited feature set. I can't use a bigger feature set if the
entities I'm interoperating with don't support them.
 
In my case, the SSO is always initiated by the IdP, who redirects
the browser to the SP with all required info in SAML attributes (and signed). 

> > So Ok, I understand opensaml is meant to deal with compliant SAML
> > assertions, not with this. I'm just commenting this because I don't
> > know whether opensaml should detect this and fail validation. Or fail
> > marshalling or something. I suspect the assertion has been generated
> > (ab)using opensaml for java.
> 
> OpenSAML can't know whether the profile in use requires a particular kind of
> Issuer.
>

Must be so, but I thought it could "simply" look at the format
attribute, since other kinds of issuer content should come with the
format attribute to indicate a different syntax (in profiles other
than Web SSO). But don't bother, I must be wrong. I haven't read it
all.

If you then set a wrong format value for your SAML profile, then opensaml
won't be able to tell, but at least it could tell the issuer content 
does not follow the syntax mandated by the Issuer format attribute. 
If nobody complies with that then it may not be very useful, though. 
 
> > I don't know how easy it is to check issuer syntax, because the
> > content syntax depends on the format attribute. It's best for me that
> > it does not fail validation, so I'm fine with what it does now, but
> > for opensaml in general, I don't know.
> 
> If you turned on schema validation, as Chad said, it would fail. If you were
> using OpenSAML 1.1, it would have failed already.
>

Then I misinterpret this : 

 <element name="Issuer" type="saml:NameIDType"/>


 <complexType name="NameIDType">

    <simpleContent >

        <extension base="string">

           <attributeGroup ref="saml:IDNameQualifiers"/>

           <attribute name="Format" type="anyURI" use="optional"/>

           <attribute name="SPProvidedID" type="string" use="optional"/>

        </extension>

    </simpleContent>

 </complexType>

From this schema alone any string is valid Issuer content 
(since it is valid content when the Format attribute value is 
  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
)

In the particular case of Web SSO then the content must be a uri, 
but opensaml may not know this is the inteded profile. 
 
-- 
Xavi Drudis Ferran