[
https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oliver Wulff updated CXF-4484:
------------------------------
Description:
The ClaimsAttributeStatementProvider is responsible to transform the claims to
a SAML attribute.
SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML
attribute. The AttributeName is a local name and the AttributeNamespace the
namespace. Both values form a qualified name (uri).
SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says
what kind of format the value is of the Name attribute like uri, basic,
unspecified or custom.
The current encoding in the ClaimsAttributeStatementProvider is not aligned
with the above.
SAML 2.0
--------
Now:
<saml2:Attribute Name="emailaddress"
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="http://schemas.mycompany.com/claims/language";
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml2:AttributeValue
xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
schema then the name of the SAML attribute is simple like "givenname" instead
of fully qualified.
- The NameFormat should not be
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="http://schemas.mycompany.com/claims/language";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
You can configure which NameFormat should be used like uri or unspecified
(Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
compatibilty in 2.6 but would like to change the default to "unspecified" for
2.7.
SAML 1.1
--------
Now:
<saml1:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute
AttributeName="http://schemas.mycompany.com/claims/language";
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
fully qualified (which it shouldn't) and the AttributeNamespace is again
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language"
AttributeNamespace="http://schemas.mycompany.com/claims";>
<saml1:AttributeValue
xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
was:
The ClaimsAttributeStatementProvider is responsible to transform the claims to
a SAML attribute.
SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML
attribute. The AttributeName is a local name and the AttributeNamespace the
namespace. Both values form a qualified name (uri).
SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says
what kind of format the value is of the Name attribute like uri, basic,
unspecified or custom.
The current encoding in the ClaimsAttributeStatementProvider is not aligned
with the above.
SAML 2.0
--------
Now:
<saml2:Attribute Name="emailaddress"
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="http://schemas.mycompany.com/claims/language";
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml2:AttributeValue
xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
schema then the name of the SAML attribute is simple like "givenname" instead
of fully qualified.
- The NameFormat should not be
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="http://schemas.mycompany.com/claims/language";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
You can configure which NameFormat should be used like uri or unspecified
(Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
compatibilty in 2.6 but would like to change the default to "unspecified" for
2.7.
SAML 1.1
--------
Now:
<saml1:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute
AttributeName="http://schemas.mycompany.com/claims/language";
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
fully qualified (which it shouldn't) and the AttributeNamespace is again
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language"
AttributeNamespace="http://schemas.mycompany.com/claims";>
<saml1:AttributeValue
xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims
> to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML
> attribute. The AttributeName is a local name and the AttributeNamespace the
> namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says
> what kind of format the value is of the Name attribute like uri, basic,
> unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned
> with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml2:AttributeValue
> xsi:type="xs:string">[email protected]</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language";
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of
> the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">[email protected]</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language";
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default to "unspecified" for
> 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">[email protected]</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="http://schemas.mycompany.com/claims/language";
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
> fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">[email protected]</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
