cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject SAML 2.0 attibutes and claims naming convention
Date Wed, 22 Aug 2012 12:22:23 GMT
Hi there

I came across an issue in processing the claims encoded within a SAML 1.1 and 2.0 attribute
statement. Right now, the ClaimsAttributeStatementProvider creates the name of an attribute
like this:

SAML 2.0

Current example:

                     <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute Name="http://schemas.mycompany.com/claims/language"
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

Issue:

- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then
the name of the SAML attribute is simple like "givenname" instead of fully qualified.
- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

Proposal:

                     <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute Name="http://schemas.mycompany.com/claims/language"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

I'd like to change this as the attribute name should always be fully qualified and the nameformat
should be used for another purposes instead of http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Here an example how ADFS does it:
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/


SAML 1.1

Current example:

                     <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
                     </saml1:Attribute>
                     <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
                     </saml1:Attribute>

Issue:

- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the
AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

Proposal:

                     <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">oliver.wulff@zurich.ch</saml1:AttributeValue>
                     </saml1:Attribute>
                     <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
                        <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
                     </saml1:Attribute>

The book "Windows Identity Foundation" describes it in the same way as proposed (p66):
SAML 1.1
AttributeName = <local name> (firstname)
AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>


If you are fine with this, I'll create JIRA and make the following modifications to the ClaimsAttributeStatementProvider:
You can configure which NameFormat should be used like uri or unspecified (Microsoft uses
unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like
to change the default  to "unspecified" for 2.7.




I've also discovered something in WSS4J in the SAML1ComponentBuilder which confused me a lot:


    @SuppressWarnings("unchecked")
    public static Attribute createSamlv1Attribute(
        String attributeName,
        String attributeUrn,
        List<?> values
    ) {
        if (attributeV1Builder == null) {
            attributeV1Builder = (SAMLObjectBuilder<Attribute>)
                builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
        }
        if (stringBuilder == null) {
            stringBuilder = (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
        }

        Attribute attribute = attributeV1Builder.buildObject();
        attribute.setAttributeName(attributeName);
        attribute.setAttributeNamespace(attributeUrn);



    @SuppressWarnings("unchecked")
    public static List<AttributeStatement> createSamlv1AttributeStatement(
        List<AttributeStatementBean> attributeData
    )


                    Attribute samlAttribute =
                        createSamlv1Attribute(
                            values.getSimpleName(),
                            values.getQualifiedName(),
                            attributeValues
                        );


Let me know your thoughts...

Thanks
Oli







------

Oliver Wulff

Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com

<http://coders.talend.com>Talend Application Integration Division http://www.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message