cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yossi Cohen (JIRA)" <>
Subject [jira] [Commented] (CXF-5674) CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Date Tue, 15 Apr 2014 12:39:15 GMT


Yossi Cohen commented on CXF-5674:

My terms of employment in Amdocs do not allow me to do so. If we were
planning to develop it i would work with our legal dep. to get approval but
at least for now it is not in scope.
 On Apr 14, 2014 1:51 PM, "Colm O hEigeartaigh (JIRA)" <>

> CXF Support in "Audience Restriction" of SAML 2 (SOAP)
> ------------------------------------------------------
>                 Key: CXF-5674
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 3.0.0-milestone2, 2.7.10
>            Reporter: Yossi Cohen
>            Assignee: Colm O hEigeartaigh
>   Original Estimate: 96h
>  Remaining Estimate: 96h
> The specification part related to "Audience Restriction" is implemented by CXF (opensaml)
to verify syntax but it does not enforce the specification's rule of rejecting tokens that
do not include in their "Audience Restriction" list of URIs - the URI of the target (this)
service provider. 
> It seems like a gap in open-saml (ValidatorSuite  / saml2-core-spec-validator). The proposal
is to provide the fix in CXF by registering a new validator to saml2-core-spec-validator that
will handle "Audience Restriction". For BWC, by default, this all thing should be disabled.
Developer should be able to enable it via configuration and also set the entity-id (URI) representing
the service provider URI.
> “Audience Restriction” as described in SAML specification:
> “The <AudienceRestriction> element specifies that the assertion is addressed
to one or more specific audiences identified by <Audience> elements. Although a SAML
relying party that is outside the audiences specified is capable of drawing conclusions from
an assertion, the SAML asserting party explicitly makes no representation as to accuracy or
trustworthiness to such a party”

This message was sent by Atlassian JIRA

View raw message