cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject RE: SAML 2.0 attibutes and claims naming convention
Date Thu, 23 Aug 2012 05:29:02 GMT
Hi Glen

Thanks for the feedback...

>>>
OK, a google does not show such a URI ever being used for NameFormat.
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:

<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">
>>>

The basic format is just a "simple" name and not a URI as in the case of the ClaimsAttributeStatementProvider.
Therefore, the option are only "uri" or "unspecified". I've proposed unspecified because ADFS
uses it as a default and TFIM did only support unspecified.

>>>
Question: i'm confused here.  Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?

If this is kosher:
<saml2:Attribute
Name=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;

why isn't this?
&lt;saml2:Attribute
Name=&quot;http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe&quot;
>>>
That's absolutely fine for SAML 2. But the proposal was for SAML 1.1 which doesn't have a
NameFormat attribute. Instead, they have only AttributeName and AttributeNamespace.

Thanks
Oli



------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Glen Mazza [glen.mazza@gmail.com]
Sent: 22 August 2012 18:21
To: dev@cxf.apache.org
Subject: Re: SAML 2.0 attibutes and claims naming convention

Hi Oli, comments below:


Oliver Wulff-2 wrote
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like
> this:
>
> SAML 2.0
>
> Current example:
>
>                      <saml2:Attribute Name="emailaddress"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name
> of the SAML attribute is simple like "givenname" instead of fully
> qualified.
>
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>

OK, a google does not show such a URI ever being used for NameFormat.
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:

<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">



> Proposal:
>
>                      <saml2:Attribute
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead
> of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">owulff@</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute
> AttributeName="http://schemas.mycompany.com/claims/language"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
> fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>

Question: i'm confused here.  Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?

If this is kosher:
<saml2:Attribute
Name=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;

why isn't this?
&lt;saml2:Attribute
Name=&quot;http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe&quot;

For example, this article:
http://answers.flyppdevportal.com/categories/azure/azuresecurity.aspx?ID=4f3eeb5f-44ba-4873-91ff-27b3c3bc50fe

has an example using fully quailfied Names with the
&quot;http://schemas.microsoft.com/ws/2008/06/identity/claims&quot;
non-standard namespace:

    &lt;Attribute
Name=&quot;http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid&quot;
NameFormat=&quot;urn:oasis:names:tc:SAML:2.0:attrname-format:uri&quot;
FriendlyName=&quot;Primary SID&quot;
xmlns=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot;/>
    <Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Windows account name"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>

Thanks,
Glen




--
View this message in context: http://cxf.547215.n5.nabble.com/SAML-2-0-attibutes-and-claims-naming-convention-tp5712967p5712998.html
Sent from the cxf-dev mailing list archive at Nabble.com.

Mime
View raw message