cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yossi Cohen (JIRA)" <>
Subject [jira] [Commented] (CXF-5674) CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Date Sat, 17 Jan 2015 07:55:34 GMT


Yossi Cohen commented on CXF-5674:

Good news! Thank you Colm.

On Fri, Jan 16, 2015 at 4:57 PM, Colm O hEigeartaigh (JIRA) <

*Best Regards,*
*Yossi Cohen*

> CXF Support in "Audience Restriction" of SAML 2 (SOAP)
> ------------------------------------------------------
>                 Key: CXF-5674
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 3.0.0-milestone2, 2.7.10
>            Reporter: Yossi Cohen
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.0.4, 2.7.15
>   Original Estimate: 96h
>  Remaining Estimate: 96h
> The specification part related to "Audience Restriction" is implemented by CXF (opensaml)
to verify syntax but it does not enforce the specification's rule of rejecting tokens that
do not include in their "Audience Restriction" list of URIs - the URI of the target (this)
service provider. 
> It seems like a gap in open-saml (ValidatorSuite  / saml2-core-spec-validator). The proposal
is to provide the fix in CXF by registering a new validator to saml2-core-spec-validator that
will handle "Audience Restriction". For BWC, by default, this all thing should be disabled.
Developer should be able to enable it via configuration and also set the entity-id (URI) representing
the service provider URI.
> “Audience Restriction” as described in SAML specification:
> “The <AudienceRestriction> element specifies that the assertion is addressed
to one or more specific audiences identified by <Audience> elements. Although a SAML
relying party that is outside the audiences specified is capable of drawing conclusions from
an assertion, the SAML asserting party explicitly makes no representation as to accuracy or
trustworthiness to such a party”

This message was sent by Atlassian JIRA

View raw message