OpenSAML user discussion

["Satish Burnwal" <>]

Brent et al:
Thanks for the clarification and prompt follow ups. 

Thanks
-Satish

-----Original Message-----
From: Brent Putman 
[mailto:]
 
Sent: Friday, August 01, 2008 12:40 PM
To: 

Subject: Re: [OpenSAML] Unable to extract SAML token



Satish Burnwal wrote:
> I just took a look at the SAML 1.1 schema and that also uses 
> AssertionID attribute and not the ID atribute. ID attr is used in SAML 2.0
ver only.

Yes, but note that SAML 1.1 AssertionID is of type xml:ID.  At the schema
level, it is an ID attribute, pure and simple.


>  My
> question is - and as I find at quite a few places over the internet - can
I
> use the URI reference value as the value of AssertionID  ? Is it really a
> standard (and if so any doc to suffice that) ?
>   


Yes, you can in general use the value of an xml:ID-typed attribute as 
the referent of a ds:Reference/@URI to do a same-document reference.  As 
Scott said, not really sure if that is what you are supposed to do 
vis-a-vis WS-Security, it might be more standard to wrap in an STR.  
Haven't read those specs in a while.


> And Tom - what I posted is SAML 1.0 sample and not 1.1. Just the
> NameIdentifier format is 1.1
>   

Well, actually what you originally posted is SAML 1.1.  It contains this:

<saml:Assertion .... MajorVersion="1" MinorVersion="1">


That canonically defines it as SAML 1.1.  I don't know whether the rest 
of the Assertion is valid SAML 1.1 (as opposed to SAML 1.0) or not, 
haven't compared it element by element.

Note that some of the various URN's used in SAML 1.1 (e.g. namespace 
URI's) contain the rather misleading subcomponent "1.0".  That's just a 
legacy of the way they "extended" 1.0 to create 1.1.  With 2.0, new 
namespaces were also created.

The way you know what you have is always via the Major- and MinorVersion 
attributes.

--Brent