cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-4484) Claims to SAML attribute encoding wrong
Date Fri, 07 Sep 2012 13:05:07 GMT

     [ https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh updated CXF-4484:
-------------------------------------

    Attachment: cxf-4484.patch

Hi Oli,

Could you review the attached patch? It fixes all three issues on trunk. 

The "namespace" property of the "Claim" class now only applies to SAML 1.1 Assertions, and
is null by default. If null then the namespace is extracted from the claimType URI. If non-null,
then the claimType is normalized against it as before.

The Claim class now has a nameFormat property which is used for SAML 2.0 Assertions - the
default is to use "unspecified".

For earlier branches I will just add the changed AttributeProvider to source so users can
use that instead and @deprecate the other implementation.

Colm.
                
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
>                 Key: CXF-4484
>                 URL: https://issues.apache.org/jira/browse/CXF-4484
>             Project: CXF
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 2.6.2
>            Reporter: Oliver Wulff
>         Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML
attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The
AttributeName is a local name and the AttributeNamespace the namespace. Both values form a
qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind
of format the value is of the Name attribute like uri, basic, unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned with the
above.
> SAML 2.0
> --------
> Now:
>                      <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language"
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
> Issue:
> - If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema
then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
>                      <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified (Microsoft
uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would
like to change the default to "unspecified" for 2.7.
> SAML 1.1
> --------
> Now:
>                      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
> Issue:
> - If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims
the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
>                      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
>                         <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message