About
  • This user has not yet committed.

Reviews

0 active reviews

Counts may include data that you cannot access.

adam.lantos

NoearlieractivityNolateractivity
adam.lantos

created OPENAM-89

08 May 10
adam.lantos

commented on OPENAM-13

05 May 10
My patch unconditionally removed the Extensions node, but this would effectively kill all metadata extension handling, this is not desirable, as customers might miss their beloved extensions.

The core problem occurs when JAXB cannot process anything out of the Extension contents, and thus leaves an empty list, this gets serialized as <Extensions/>, which is not schema-valid any more. Note that JAXB2 handles this problem better.

I don't know JAXB1 well enough, but my take would be something like this:

if (descriptor.getExtensions() != null && descriptor.getExtensions().size() ==0) {
   descriptor.setExtensions(null);
}

somewhere around http://sources.forgerock.org/browse/openam/trunk/opensso/products/federation/library/source/com/sun/identity/saml2/meta/SAML2MetaManager.java?r=HEAD#l488

Or maybe we need to file a bug report against JAXB itself :)
adam.lantos

commented on OPENAM-13

05 May 10
Okay, that'll fix this particular issue, but what if I want to use another extensions? What if I want to import metadata from a trusted third party, which could use _any_ extension schemas, which are not controlled by me? For example, our federation uses the Shibboleth scope extension (urn:mace:shibboleth:metadata:1.0), and the Metadata UI extension (urn:oasis:names:tc:SAML:2.0:metadata:ui), and if one entity wishes to use its own extension, we allow them to do that, because it's an _extension_.

Failing to import metadata because of an unforeseen or unknown extension is definitely a bug because it's against the nature of the extendable schema itself. If an entity doesn't use an extension, it MUST ignore it and not fail.
adam.lantos

commented on OPENAM-13

05 May 10
Right, all Extension nodes should be nulled out, because the Jaxb version which OpenAM uses doesn't handle elements from unknown namespaces well, and it causes fatal errors.

Federations often use Extensions in the central metadata, and even if OpenAM doesn't know what to do with them, failing to import metadata with unknown Extensions in it is simply non-conformant to the SAML specs.
adam.lantos

attached one file to OPENAM-85

05 May 10
This is a working patch against an older OpenSSO build, it only changes spSSOInit.jsp, and adds a new parameter 'idpDiscoveryProtocol' there.
saml2-support-new-idpdiscovery-protocol.patch
adam.lantos

created OPENAM-85

05 May 10