Return-Path: X-Original-To: apmail-cxf-dev-archive@www.apache.org Delivered-To: apmail-cxf-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AC1D7D863 for ; Wed, 22 Aug 2012 16:22:05 +0000 (UTC) Received: (qmail 11143 invoked by uid 500); 22 Aug 2012 16:22:05 -0000 Delivered-To: apmail-cxf-dev-archive@cxf.apache.org Received: (qmail 11072 invoked by uid 500); 22 Aug 2012 16:22:05 -0000 Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list dev@cxf.apache.org Received: (qmail 11064 invoked by uid 99); 22 Aug 2012 16:22:05 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Aug 2012 16:22:05 +0000 X-ASF-Spam-Status: No, hits=2.0 required=5.0 tests=SPF_NEUTRAL,URI_HEX X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 216.139.236.26 is neither permitted nor denied by domain of glen.mazza@gmail.com) Received: from [216.139.236.26] (HELO sam.nabble.com) (216.139.236.26) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Aug 2012 16:21:59 +0000 Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1T4DgY-0003hP-IG for dev@cxf.apache.org; Wed, 22 Aug 2012 09:21:38 -0700 Date: Wed, 22 Aug 2012 09:21:38 -0700 (PDT) From: Glen Mazza To: dev@cxf.apache.org Message-ID: <1345652498537-5712998.post@n5.nabble.com> In-Reply-To: <79AB4452999C844D9920E036353327311A5829@S10BE002.SH10.lan> References: <79AB4452999C844D9920E036353327311A5829@S10BE002.SH10.lan> Subject: Re: SAML 2.0 attibutes and claims naming convention MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi Oli, comments below: Oliver Wulff-2 wrote > > I came across an issue in processing the claims encoded within a SAML 1.1 > and 2.0 attribute statement. Right now, the > ClaimsAttributeStatementProvider creates the name of an attribute like > this: > > SAML 2.0 > > Current example: > > NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> > xsi:type="xs:string">owulff@ > > Name="http://schemas.mycompany.com/claims/language" > NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> > xsi:type="xs:string">de > > > Issue: > > - If attibute is part of > http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name > of the SAML attribute is simple like "givenname" instead of fully > qualified. > > - The NameFormat should not be > http://schemas.xmlsoap.org/ws/2005/05/identity/claims. > OK, a google does not show such a URI ever being used for NameFormat. However, just FYI, from this 2010 email: http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec, Ping Federate apparently uses a different NameFormat value from what you're recommending we switch to: > Proposal: > > Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> > xsi:type="xs:string">owulff@ > > Name="http://schemas.mycompany.com/claims/language" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> > xsi:type="xs:string">de > > > I'd like to change this as the attribute name should always be fully > qualified and the nameformat should be used for another purposes instead > of http://schemas.xmlsoap.org/ws/2005/05/identity/claims > > Here an example how ADFS does it: > http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/ > > > SAML 1.1 > > Current example: > > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> > xsi:type="xs:string">owulff@ > > AttributeName="http://schemas.mycompany.com/claims/language" > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> > xsi:type="xs:string">de > > > Issue: > > - If attribute is not part of the > http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is > fully qualified (which it shouldn't) and the AttributeNamespace is again > http://schemas.xmlsoap.org/ws/2005/05/identity/claims. > Question: i'm confused here. Why can't/shouldn't the attribute name be fully qualified (be a full URI) if I'm not using the standard http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace? If this is kosher: Thanks, Glen -- View this message in context: http://cxf.547215.n5.nabble.com/SAML-2-0-attibutes-and-claims-naming-convention-tp5712967p5712998.html Sent from the cxf-dev mailing list archive at Nabble.com.