cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Commented] (CXF-5674) CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Date Thu, 17 Apr 2014 13:11:23 GMT


Colm O hEigeartaigh commented on CXF-5674:

I've merged a test to CXF to show how this can be done with the existing code. TBH I feel
a OpenSAML validator is overkill for this issue. The SAMLAssertionValidator in WSS4J has a
protected method which can be overridden to check the audience restrictions. See the following
commit for details:;a=commit;h=6d272301

IMO this test-case addresses this issue fairly adequately. If you agree I will mark the issue
as resolved, otherwise it can stay open until a patch is supplied.


> CXF Support in "Audience Restriction" of SAML 2 (SOAP)
> ------------------------------------------------------
>                 Key: CXF-5674
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 3.0.0-milestone2, 2.7.10
>            Reporter: Yossi Cohen
>            Assignee: Colm O hEigeartaigh
>   Original Estimate: 96h
>  Remaining Estimate: 96h
> The specification part related to "Audience Restriction" is implemented by CXF (opensaml)
to verify syntax but it does not enforce the specification's rule of rejecting tokens that
do not include in their "Audience Restriction" list of URIs - the URI of the target (this)
service provider. 
> It seems like a gap in open-saml (ValidatorSuite  / saml2-core-spec-validator). The proposal
is to provide the fix in CXF by registering a new validator to saml2-core-spec-validator that
will handle "Audience Restriction". For BWC, by default, this all thing should be disabled.
Developer should be able to enable it via configuration and also set the entity-id (URI) representing
the service provider URI.
> “Audience Restriction” as described in SAML specification:
> “The <AudienceRestriction> element specifies that the assertion is addressed
to one or more specific audiences identified by <Audience> elements. Although a SAML
relying party that is outside the audiences specified is capable of drawing conclusions from
an assertion, the SAML asserting party explicitly makes no representation as to accuracy or
trustworthiness to such a party”

This message was sent by Atlassian JIRA

View raw message