RE: SAML 2.0 attibutes and claims naming convention

Oliver Wulff Thu, 23 Aug 2012 05:51:28 -0700

I'm confused about the mapping of the qualified attribute name to the attribute 
namespace for SAML 1.1.


I set the qualified name in Attribute Bean of WSS4J and the simple name (local 
name). 

                    Attribute samlAttribute =
                        createSamlv1Attribute(
                            values.getSimpleName(),
                            values.getQualifiedName(),
                            attributeValues
                        );

but this maps to 

        Attribute attribute = attributeV1Builder.buildObject();
        attribute.setAttributeName(attributeName);
        attribute.setAttributeNamespace(attributeUrn);

where attributeUrn contains the value of values.getQualifiedName().

IMHO, the namespace of the qualified name must be parsed.

------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Colm O hEigeartaigh [[email protected]]
Sent: 23 August 2012 12:08
To: [email protected]
Subject: Re: SAML 2.0 attibutes and claims naming convention

> If you are fine with this, I'll create JIRA and make the following
modifications to the ClaimsAttributeStatementProver

Fine with me.

> I've also discovered something in WSS4J in the SAML1ComponentBuilder
which confused me a lot:

What are you confused about exactly? Mapping the AttributeBean simpleName -
> Name and qualified Name -> attribute Name? This is as a consequence of
having the same Bean for creating both SAML 1.1 and SAML 2.0 assertions.

Colm.

>

On Wed, Aug 22, 2012 at 1:22 PM, Oliver Wulff <[email protected]> wrote:

> Hi there
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like this:
>
> SAML 2.0
>
> Current example:
>
>                      <saml2:Attribute Name="emailaddress" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml2:AttributeValue xsi:type="xs:string">
> [email protected]</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language"; NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the
> name of the SAML attribute is simple like "givenname" instead of fully
> qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml2:Attribute Name="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue xsi:type="xs:string">
> [email protected]</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language";
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
>
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> [email protected]</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="
> http://schemas.mycompany.com/claims/language"; AttributeNamespace="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName
> is fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> [email protected]</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims";>
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> The book "Windows Identity Foundation" describes it in the same way as
> proposed (p66):
> SAML 1.1
> AttributeName = <local name> (firstname)
> AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>
>
>
> If you are fine with this, I'll create JIRA and make the following
> modifications to the ClaimsAttributeStatementProvider:
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default  to "unspecified"
> for 2.7.
>
>
>
>
> I've also discovered something in WSS4J in the SAML1ComponentBuilder which
> confused me a lot:
>
>
>     @SuppressWarnings("unchecked")
>     public static Attribute createSamlv1Attribute(
>         String attributeName,
>         String attributeUrn,
>         List<?> values
>     ) {
>         if (attributeV1Builder == null) {
>             attributeV1Builder = (SAMLObjectBuilder<Attribute>)
>                 builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
>         }
>         if (stringBuilder == null) {
>             stringBuilder =
> (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
>         }
>
>         Attribute attribute = attributeV1Builder.buildObject();
>         attribute.setAttributeName(attributeName);
>         attribute.setAttributeNamespace(attributeUrn);
>
>
>
>     @SuppressWarnings("unchecked")
>     public static List<AttributeStatement> createSamlv1AttributeStatement(
>         List<AttributeStatementBean> attributeData
>     )
>
>
>                     Attribute samlAttribute =
>                         createSamlv1Attribute(
>                             values.getSimpleName(),
>                             values.getQualifiedName(),
>                             attributeValues
>                         );
>
>
> Let me know your thoughts...
>
> Thanks
> Oli
>
>
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: SAML 2.0 attibutes and claims naming convention

Reply via email to