cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <glen.ma...@gmail.com>
Subject Re: SAML 2.0 attibutes and claims naming convention
Date Wed, 22 Aug 2012 16:21:38 GMT
Hi Oli, comments below:


Oliver Wulff-2 wrote
> 
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like
> this:
> 
> SAML 2.0
> 
> Current example:
> 
>                      <saml2:Attribute Name="emailaddress"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
> 
> Issue:
> 
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name
> of the SAML attribute is simple like "givenname" instead of fully
> qualified.
> 
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> 

OK, a google does not show such a URI ever being used for NameFormat.  
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:

<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">



> Proposal:
> 
>                      <saml2:Attribute
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
> 
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead
> of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> 
> Here an example how ADFS does it:
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
> 
> 
> SAML 1.1
> 
> Current example:
> 
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">owulff@</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute
> AttributeName="http://schemas.mycompany.com/claims/language"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
> 
> Issue:
> 
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
> fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> 

Question: i'm confused here.  Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?  

If this is kosher:
<saml2:Attribute
Name=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;


why isn't this?
&lt;saml2:Attribute
Name=&quot;http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe&quot;

For example, this article:
http://answers.flyppdevportal.com/categories/azure/azuresecurity.aspx?ID=4f3eeb5f-44ba-4873-91ff-27b3c3bc50fe

has an example using fully quailfied Names with the
&quot;http://schemas.microsoft.com/ws/2008/06/identity/claims&quot;
non-standard namespace: 

    &lt;Attribute
Name=&quot;http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid&quot;
NameFormat=&quot;urn:oasis:names:tc:SAML:2.0:attrname-format:uri&quot;
FriendlyName=&quot;Primary SID&quot;
xmlns=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot;/>
    <Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Windows account name"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>

Thanks,
Glen




--
View this message in context: http://cxf.547215.n5.nabble.com/SAML-2-0-attibutes-and-claims-naming-convention-tp5712967p5712998.html
Sent from the cxf-dev mailing list archive at Nabble.com.

Mime
View raw message