SAML 2.0 attibutes and claims naming convention

Wed, 22 Aug 2012 05:23:05 -0700 

Hi there

I came across an issue in processing the claims encoded within a SAML 1.1 and 
2.0 attribute statement. Right now, the ClaimsAttributeStatementProvider 
creates the name of an attribute like this:

SAML 2.0

Current example:

                     <saml2:Attribute Name="emailaddress" 
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
                        <saml2:AttributeValue 
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute 
Name="http://schemas.mycompany.com/claims/language"; 
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
                        <saml2:AttributeValue 
xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

Issue:

- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims 
schema then the name of the SAML attribute is simple like "givenname" instead 
of fully qualified.
- The NameFormat should not be 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

Proposal:

                     <saml2:Attribute 
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue 
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute 
Name="http://schemas.mycompany.com/claims/language"; 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue 
xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

I'd like to change this as the attribute name should always be fully qualified 
and the nameformat should be used for another purposes instead of 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Here an example how ADFS does it:
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/


SAML 1.1

Current example:

                     <saml1:Attribute AttributeName="emailaddress" 
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
                        <saml1:AttributeValue 
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
                     </saml1:Attribute>
                     <saml1:Attribute 
AttributeName="http://schemas.mycompany.com/claims/language"; 
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
                        <saml1:AttributeValue 
xsi:type="xs:string">de</saml1:AttributeValue>
                     </saml1:Attribute>

Issue:

- If attribute is not part of the 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is 
fully qualified (which it shouldn't) and the AttributeNamespace is again 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

Proposal:

                     <saml1:Attribute AttributeName="emailaddress" 
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
                        <saml1:AttributeValue 
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
                     </saml1:Attribute>
                     <saml1:Attribute AttributeName="language" 
AttributeNamespace="http://schemas.mycompany.com/claims";>
                        <saml1:AttributeValue 
xsi:type="xs:string">de</saml1:AttributeValue>
                     </saml1:Attribute>

The book "Windows Identity Foundation" describes it in the same way as proposed 
(p66):
SAML 1.1
AttributeName = <local name> (firstname)
AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>


If you are fine with this, I'll create JIRA and make the following 
modifications to the ClaimsAttributeStatementProvider:
You can configure which NameFormat should be used like uri or unspecified 
(Microsoft uses unspecified, Shibboleth uri). Default stays for backwards 
compatibilty in 2.6 but would like to change the default  to "unspecified" for 
2.7.




I've also discovered something in WSS4J in the SAML1ComponentBuilder which 
confused me a lot:


    @SuppressWarnings("unchecked")
    public static Attribute createSamlv1Attribute(
        String attributeName,
        String attributeUrn,
        List<?> values
    ) {
        if (attributeV1Builder == null) {
            attributeV1Builder = (SAMLObjectBuilder<Attribute>)
                builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
        }
        if (stringBuilder == null) {
            stringBuilder = 
(XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
        }

        Attribute attribute = attributeV1Builder.buildObject();
        attribute.setAttributeName(attributeName);
        attribute.setAttributeNamespace(attributeUrn);



    @SuppressWarnings("unchecked")
    public static List<AttributeStatement> createSamlv1AttributeStatement(
        List<AttributeStatementBean> attributeData
    )


                    Attribute samlAttribute =
                        createSamlv1Attribute(
                            values.getSimpleName(),
                            values.getQualifiedName(),
                            attributeValues
                        );


Let me know your thoughts...

Thanks
Oli







------

Oliver Wulff

Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com

<http://coders.talend.com>Talend Application Integration Division 
http://www.talend.com

Reply via email to