This is just a quick post to mention a ghastly API decision I just ran across. (Certainly, I have seen similar monstrosities before, and you probably have as well. However, when I saw this one, I realized I could not let it go this time.)
Consider com.sun.identity.saml2.protocol.Response, specifically the getAssertion method. Now, I will leave aside the wisdom of a "getAssertion" (singular) method that returns a List of Assertions (plural). However, what does the implementation of this method do when there are no (unencrypted) Assertions in the SAML 2.0 response?
...wait for it...
It returns null. Not an empty List, because that wouldn't be empty enough. null. So, this method which is obviously intended to normally return a single Assertion, but can handle multiple Assertions, indicates that there are no Assertions by returning null.