[
https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh reassigned CXF-4484:
----------------------------------------
Assignee: Colm O hEigeartaigh
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
> Assignee: Colm O hEigeartaigh
> Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims
> to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML
> attribute. The AttributeName is a local name and the AttributeNamespace the
> namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says
> what kind of format the value is of the Name attribute like uri, basic,
> unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned
> with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml2:AttributeValue
> xsi:type="xs:string">owu...@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language";
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of
> the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">owu...@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language";
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default to "unspecified" for
> 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">owu...@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="http://schemas.mycompany.com/claims/language";
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
> fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">owu...@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims";>
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
