Oliver Wulff created CXF-4484:
---------------------------------
Summary: Claims to SAML attribute encoding wrong
Key: CXF-4484
URL: https://issues.apache.org/jira/browse/CXF-4484
Project: CXF
Issue Type: Bug
Components: Services
Affects Versions: 2.6.2
Reporter: Oliver Wulff
The ClaimsAttributeStatementProvider is responsible to transform the claims to
a SAML attribute.
SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML
attribute. The AttributeName is a local name and the AttributeNamespace the
namespace. Both values form a qualified name (uri).
SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says
what kind of format the value is of the Name attribute like uri, basic,
unspecified or custom.
The current encoding in the ClaimsAttributeStatementProvider is not aligned
with the above.
SAML 2.0
--------
Now:
<saml2:Attribute Name="emailaddress"
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="http://schemas.mycompany.com/claims/language";
NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml2:AttributeValue
xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
schema then the name of the SAML attribute is simple like "givenname" instead
of fully qualified.
- The NameFormat should not be
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="http://schemas.mycompany.com/claims/language";
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
You can configure which NameFormat should be used like uri or unspecified
(Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
compatibilty in 2.6 but would like to change the default to "unspecified" for
2.7.
SAML 1.1
--------
Now:
<saml1:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute
AttributeName="http://schemas.mycompany.com/claims/language";
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
fully qualified (which it shouldn't) and the AttributeNamespace is again
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
<saml1:AttributeValue
xsi:type="xs:string">[email protected]</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language"
AttributeNamespace="http://schemas.mycompany.com/claims";>
<saml1:AttributeValue
xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
