Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] Migrating to opensaml 2.2.0

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] Migrating to opensaml 2.2.0


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: [OpenSAML] Migrating to opensaml 2.2.0
  • Date: Mon, 27 Oct 2008 14:47:36 -0400
  • Organization: The Ohio State University

> [Pantvaidya, Vishwajit] Thanks Scott. I do understand XMLSchema. If it is
> not too painful, please feel free to post the differences.

SAML 1.0 doesn't have XML ID attributes in the schema. In 1.1, the schema
was modified to make the AssertionID and related attributes actual IDs. As a
result, mixing them is impossible in validating applications, and signing is
essentially unusable in SAML 1.0.

There's nothing good about what was done, it was a mistake from day one and
then compounded by changing the schema. People should avoid using SAML 1.x
at all unless they have to use it, and should never use SAML 1.0 anywhere
now. If you can't upgrade from it now, whatever is requiring SAML 1.0 is
probably orphaned anyway and should be put down like a rabid animal.
Security software that isn't being maintained is a threat.

> Else, when I get
> the time, I will look up the SAML 1 v/s 1.1 differences from the spec. So
> for now, what I understand is that, when I use the classes from the saml1
> pacjages, I am conforming to SAML1.1. Is that right?

By default, perhaps, but in general it's whatever you set MinorVersion to.
There is no sense of conformance in those classes, they handle both versions
either well or badly, but not separately.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page