OpenSAML user discussion

["Scott Cantor" <>]

> In my case, the SSO is always initiated by the IdP, who redirects
> the browser to the SP with all required info in SAML attributes (and
> signed).

Yeah, I'm familiar with the theory. Users have a word for why that theory
doesn't usually hold up, it's called a bookmark. ;-)

> Must be so, but I thought it could "simply" look at the format
> attribute, since other kinds of issuer content should come with the
> format attribute to indicate a different syntax (in profiles other
> than Web SSO). But don't bother, I must be wrong. I haven't read it
> all.

It can't know the format if you don't provide it, and here it's not
provided. The format also doesn't imply a single profile. In the SSO case,
the profile implies a format (or at least a default), but again, the XML
layer doesn't know profiles.

> From this schema alone any string is valid Issuer content
> (since it is valid content when the Format attribute value is
>   urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
> )

Yep, you're right, I was thinking it was an attribute with anyURI type. And
no, we don't do semantic validation after the fact based on the format,
that's very expensive to do. Here, format is ommitted anyway, and while it
defaults to entityID in the SSO profile instead of unspecified, that isn't
known at that layer of code .

-- Scott