> If you are fine with this, I'll create JIRA and make the following modifications to the ClaimsAttributeStatementProver
Fine with me. > I've also discovered something in WSS4J in the SAML1ComponentBuilder which confused me a lot: What are you confused about exactly? Mapping the AttributeBean simpleName - > Name and qualified Name -> attribute Name? This is as a consequence of having the same Bean for creating both SAML 1.1 and SAML 2.0 assertions. Colm. > On Wed, Aug 22, 2012 at 1:22 PM, Oliver Wulff <[email protected]> wrote: > Hi there > > I came across an issue in processing the claims encoded within a SAML 1.1 > and 2.0 attribute statement. Right now, the > ClaimsAttributeStatementProvider creates the name of an attribute like this: > > SAML 2.0 > > Current example: > > <saml2:Attribute Name="emailaddress" NameFormat=" > http://schemas.xmlsoap.org/ws/2005/05/identity/claims";> > <saml2:AttributeValue xsi:type="xs:string"> > [email protected]</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute Name=" > http://schemas.mycompany.com/claims/language"; NameFormat=" > http://schemas.xmlsoap.org/ws/2005/05/identity/claims";> > <saml2:AttributeValue > xsi:type="xs:string">de</saml2:AttributeValue> > </saml2:Attribute> > > Issue: > > - If attibute is part of > http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the > name of the SAML attribute is simple like "givenname" instead of fully > qualified. > - The NameFormat should not be > http://schemas.xmlsoap.org/ws/2005/05/identity/claims. > > Proposal: > > <saml2:Attribute Name=" > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> > <saml2:AttributeValue xsi:type="xs:string"> > [email protected]</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute Name=" > http://schemas.mycompany.com/claims/language"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> > <saml2:AttributeValue > xsi:type="xs:string">de</saml2:AttributeValue> > </saml2:Attribute> > > I'd like to change this as the attribute name should always be fully > qualified and the nameformat should be used for another purposes instead of > http://schemas.xmlsoap.org/ws/2005/05/identity/claims > > Here an example how ADFS does it: > > http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/ > > > SAML 1.1 > > Current example: > > <saml1:Attribute AttributeName="emailaddress" > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims > "> > <saml1:AttributeValue xsi:type="xs:string"> > [email protected]</saml1:AttributeValue> > </saml1:Attribute> > <saml1:Attribute AttributeName=" > http://schemas.mycompany.com/claims/language"; AttributeNamespace=" > http://schemas.xmlsoap.org/ws/2005/05/identity/claims";> > <saml1:AttributeValue > xsi:type="xs:string">de</saml1:AttributeValue> > </saml1:Attribute> > > Issue: > > - If attribute is not part of the > http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName > is fully qualified (which it shouldn't) and the AttributeNamespace is again > http://schemas.xmlsoap.org/ws/2005/05/identity/claims. > > Proposal: > > <saml1:Attribute AttributeName="emailaddress" > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims > "> > <saml1:AttributeValue xsi:type="xs:string"> > [email protected]</saml1:AttributeValue> > </saml1:Attribute> > <saml1:Attribute AttributeName="language" > AttributeNamespace="http://schemas.mycompany.com/claims";> > <saml1:AttributeValue > xsi:type="xs:string">de</saml1:AttributeValue> > </saml1:Attribute> > > The book "Windows Identity Foundation" describes it in the same way as > proposed (p66): > SAML 1.1 > AttributeName = <local name> (firstname) > AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx> > > > If you are fine with this, I'll create JIRA and make the following > modifications to the ClaimsAttributeStatementProvider: > You can configure which NameFormat should be used like uri or unspecified > (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards > compatibilty in 2.6 but would like to change the default to "unspecified" > for 2.7. > > > > > I've also discovered something in WSS4J in the SAML1ComponentBuilder which > confused me a lot: > > > @SuppressWarnings("unchecked") > public static Attribute createSamlv1Attribute( > String attributeName, > String attributeUrn, > List<?> values > ) { > if (attributeV1Builder == null) { > attributeV1Builder = (SAMLObjectBuilder<Attribute>) > builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME); > } > if (stringBuilder == null) { > stringBuilder = > (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME); > } > > Attribute attribute = attributeV1Builder.buildObject(); > attribute.setAttributeName(attributeName); > attribute.setAttributeNamespace(attributeUrn); > > > > @SuppressWarnings("unchecked") > public static List<AttributeStatement> createSamlv1AttributeStatement( > List<AttributeStatementBean> attributeData > ) > > > Attribute samlAttribute = > createSamlv1Attribute( > values.getSimpleName(), > values.getQualifiedName(), > attributeValues > ); > > > Let me know your thoughts... > > Thanks > Oli > > > > > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> > Solution Architect > http://coders.talend.com > > <http://coders.talend.com>Talend Application Integration Division > http://www.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
