Frequently Asked Questions

General Questions

What is SAML?

SAML (Security Assertion Markup Language) is an OASIS standard for the formation and exchange of authentication, attribute, and authorization data using XML. It describes various kinds of XML messages and standard ways of transporting them. It is important to note that much of the infrastructure that can be built around SAML is not defined by the standard. As a result, SAML is often part of a complete security solution, but rarely the only part.

What is OpenSAML?

OpenSAML is an open-source toolkit, in Java and C++, produced by the Shibboleth Consortium developers as part of their work on the Shibboleth project. It is able to create objects with the individual information fields that make up a SAML message, build the correct SAML representation, and parse the SAML back into object form, as well as supporting developers implementing applications using various SAML profiles and transport bindings.

What versions of SAML are supported?

OpenSAML version 1.1 supports SAML 1.0 and 1.1. OpenSAML version 2.0 supports SAML 1.0, 1.1, 2.0, and some additional profiles and extensions.

What can OpenSAML be used for?

OpenSAML assists an application wishing to use SAML messages or standard SAML profiles to express and carry security information between software components and systems. It is designed to be extensible and to accommodate a variety of trust models and security requirements, but for now is primarily oriented to simple PKI-protected exchanges and TLS/SSL.

Can I use OpenSAML to interoperate with (insert name of product)?

Possibly. The product will need to support the SAML specification, binding, and profile supported by the version of the OpenSAML library you're using. You'll need to contact your vendor for these details.

Which system architectures does OpenSAML support?

OpenSAML has been tested and used under Windows NT/2000/XP/2003, various Linux flavors, Solaris, Mac OS X, and a few others. Because it deals only with SAML messages, it can be used with any authentication or attribute infrastructure. SAML messages may be accessed directly and sent over any transport protocol, but implementations of higher-level functionality, such as the SAML SOAP/HTTP binding various HTTP browser bindings are included to varying degrees.

Can SAML and OpenSAML be used only for web-based applications?

No. While SAML 1.0 and 1.1 were very web-browser centric SAML 2.0 is not (though it still contains some web-browser specific functions). Currently though, only web-browser and SOAP-service based profiles are publicly available and in wide use. For more information on the SOAP-based services refer to the Liberty Alliance work.

How is OpenSAML licensed?

OpenSAML is open-source software available under a standard Apache 2.0 license, and may be freely modified and redistributed as long as appropriate attribution is made.

Is SAML patent-encumbered?

Without making any definitive legal statements, while parts of SAML in the past were encumbered by a royalty-free license from RSA Data Security, RSA has joined with other OASIS member companies in issuing broad non-assertion covenants that grant everybody the ability to implement and use the SAML standard without concerns. In other words, SAML is as open as things get these days.

Refer to the OASIS IPR Declaration for additional information on disclosed patents and the accompanying statements that grant their use.

Where can I obtain and contribute to OpenSAML?

OpenSAML is housed at http://www.opensaml.org/, which is part of the Internet2 web site. Links to documentation and source code can be found there. Contributions are strictly controlled to maintain the open status of the code, and are subject to execution of an Internet2 contributor's agreement or other equivalent contractual arrangements.

Who are the key contributors to this work?

The initial design and code was primarily the work of Scott Cantor of The Ohio State University. Chad La Joie, of SWITCH is now primarily responsible for future Java work. Recognition should also be extended to Bob Morgan of the University of Washington. Both Bob and Scott were instrumental in the development of the SAML standard, as were other participants from the Internet2 membership.

OpenSAML 1 Questions

Does OpenSAML 1 support logout?

SAML 1.0 and 1.1, the versions of SAML supported by OpenSAML 1, does not support this functionality. SAML 2.0 does support this through its Logout Request/Response messages.

OpenSAML 2 Questions

Is OpenSAML version 2 backwards compatible with version 1?

No.