cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: SAML 2.0 attibutes and claims naming convention
Date Thu, 23 Aug 2012 10:08:12 GMT
> If you are fine with this, I'll create JIRA and make the following
modifications to the ClaimsAttributeStatementProver

Fine with me.

> I've also discovered something in WSS4J in the SAML1ComponentBuilder
which confused me a lot:

What are you confused about exactly? Mapping the AttributeBean simpleName -
> Name and qualified Name -> attribute Name? This is as a consequence of
having the same Bean for creating both SAML 1.1 and SAML 2.0 assertions.

Colm.

>

On Wed, Aug 22, 2012 at 1:22 PM, Oliver Wulff <owulff@talend.com> wrote:

> Hi there
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like this:
>
> SAML 2.0
>
> Current example:
>
>                      <saml2:Attribute Name="emailaddress" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the
> name of the SAML attribute is simple like "givenname" instead of fully
> qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml2:Attribute Name="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
>
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="
> http://schemas.mycompany.com/claims/language" AttributeNamespace="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName
> is fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> oliver.wulff@zurich.ch</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> The book "Windows Identity Foundation" describes it in the same way as
> proposed (p66):
> SAML 1.1
> AttributeName = <local name> (firstname)
> AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>
>
>
> If you are fine with this, I'll create JIRA and make the following
> modifications to the ClaimsAttributeStatementProvider:
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default  to "unspecified"
> for 2.7.
>
>
>
>
> I've also discovered something in WSS4J in the SAML1ComponentBuilder which
> confused me a lot:
>
>
>     @SuppressWarnings("unchecked")
>     public static Attribute createSamlv1Attribute(
>         String attributeName,
>         String attributeUrn,
>         List<?> values
>     ) {
>         if (attributeV1Builder == null) {
>             attributeV1Builder = (SAMLObjectBuilder<Attribute>)
>                 builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
>         }
>         if (stringBuilder == null) {
>             stringBuilder =
> (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
>         }
>
>         Attribute attribute = attributeV1Builder.buildObject();
>         attribute.setAttributeName(attributeName);
>         attribute.setAttributeNamespace(attributeUrn);
>
>
>
>     @SuppressWarnings("unchecked")
>     public static List<AttributeStatement> createSamlv1AttributeStatement(
>         List<AttributeStatementBean> attributeData
>     )
>
>
>                     Attribute samlAttribute =
>                         createSamlv1Attribute(
>                             values.getSimpleName(),
>                             values.getQualifiedName(),
>                             attributeValues
>                         );
>
>
> Let me know your thoughts...
>
> Thanks
> Oli
>
>
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message