Yossi Cohen created CXF-5674:
--------------------------------
Summary: CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Key: CXF-5674
URL: https://issues.apache.org/jira/browse/CXF-5674
Project: CXF
Issue Type: Improvement
Components: WS-* Components
Affects Versions: 2.7.10, 3.0.0-milestone2
Reporter: Yossi Cohen
Fix For: 3.0.0, 2.7.11
The specification part related to "Audience Restriction" is implemented by CXF
(opensaml) to verify syntax but it does not enforce the specification's rule of
rejecting tokens that do not include in their "Audience Restriction" list of
URIs - the URI of the target (this) service provider.
It seems like a gap in open-saml (ValidatorSuite / saml2-core-spec-validator).
The proposal is to provide the fix in CXF by registering a new validator to
saml2-core-spec-validator that will handle "Audience Restriction". For BWC, by
default, this all thing should be disabled. Developer should be able to enable
it via configuration and also set the entity-id (URI) representing the service
provider URI.
“Audience Restriction” as described in SAML specification:
“The <AudienceRestriction> element specifies that the assertion is addressed to
one or more specific audiences identified by <Audience> elements. Although a
SAML relying party that is outside the audiences specified is capable of
drawing conclusions from an assertion, the SAML asserting party explicitly
makes no representation as to accuracy or trustworthiness to such a party”
--
This message was sent by Atlassian JIRA
(v6.2#6252)
