OpenSAML user discussion

[Xavier Drudis Ferran <>]

On Tue, Feb 12, 2008 at 11:34:22AM -0500, Scott Cantor wrote:
> > In my case, the SSO is always initiated by the IdP, who redirects
> > the browser to the SP with all required info in SAML attributes (and
> > signed).
> 
> Yeah, I'm familiar with the theory. Users have a word for why that theory
> doesn't usually hold up, it's called a bookmark. ;-)
> 

I don't think they want user bookmarks to work :( . Already before SSO
there were html frames and the same visible URL throughtout the web
app. But I'm not saying this is a great idea, I just say I'm not going
to be able to work on a better idea even if I undestood it.
 
> It can't know the format if you don't provide it, and here it's not
> provided. The format also doesn't imply a single profile. In the SSO case,
> the profile implies a format (or at least a default), but again, the XML
> layer doesn't know profiles.
>

I thought the default format for Issuer was 
     urn:oasis:names:tc:SAML:2.0:nameid-format:entity 
and any other had to be declared with the format attribute
(sstc-saml-core  2.2.5 ).
 
> Yep, you're right, I was thinking it was an attribute with anyURI type. And
> no, we don't do semantic validation after the fact based on the format,
> that's very expensive to do. Here, format is ommitted anyway, and while it
> defaults to entityID in the SSO profile instead of unspecified, that isn't
> known at that layer of code .
> 

unspecified is the default for other NameIDType elements, but not for
Issuer (in core).  I didn't know the default changes for some
profiles, I thought profiles requiring/allowing other formats required
(or kept the requirement) to include the Format attribute in Issuer.

But ok, semantic validation isn't cheap, and that's why I started by 
saying I didn't know how easy it was. And besides it seems nobody
complies anyway. 

And besides, if it did validate that it would fail on the invalid
assertions I get , so from an selfish pov, it's better like it is...

-- 
Xavi Drudis Ferran