The SAML v2.0 class library includes both high level and low level APIs. For the majority of use cases, it’s recommend the high level APIs are used as these provide the greatest ease of use. The low level APIs are available for when maximum flexibility is required. The high-level API is implemented using the low-level API.
High-Level API The high-level API offers the following advantages:
simple API supporting single sign-on and single logout
minimal code in the calling application
encapsulates the technical details of the SAML protocols, bindings and security
configuration-driven making it easy to add support for other partner sites with no code changes
maintains state to support single logout
Low-Level API The low-level API offers the following advantages:
maximum flexibility
compatibility with pre-high-level API applications
The SAML v2.0 class library includes both high level and low level APIs. For the majority of use cases, it’s recommend the high level APIs are used as these provide the greatest ease of use. The low level APIs are available for when maximum flexibility is required. The high-level API is implemented using the low-level API.
High-Level API The high-level API offers the following advantages:
simple API supporting single sign-on and single logout
minimal code in the calling application
encapsulates the technical details of the SAML protocols, bindings and security
configuration-driven making it easy to add support for other partner sites with no code changes
maintains state to support single logout
Low-Level API
maximum flexibility
compatibility with pre-high-level API applications
[/quote]
Is it advisable to combine high-level and low-level APIs? For example, use high-level API for assertions via POST and low-level API for assertions via artifact binding? If not, what can you advise?
Generally it’s not advisable to combine the two APIs as the high-level API isn’t aware of any calls your application makes to the low-level API. However, if you don’t combine the APIs within the same SSO session you should be ok. For example, don’t use the low level API for SSO and then the high-level API for SLO of the same user. You could use the low-level API only for SSO sessions using HTTP-artifact and the high-level API only for SSO sessions using HTTP-Post.
You guys mention that there is a high-level and low-level api that shouldn’t in general be mixed. Is there a clear distinction between which classes fit into which?