[
https://issues.apache.org/jira/browse/CXF-5674?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp updated CXF-5674:
-----------------------------
Fix Version/s: (was: 2.7.11)
(was: 3.0.0)
> CXF Support in "Audience Restriction" of SAML 2 (SOAP)
> ------------------------------------------------------
>
> Key: CXF-5674
> URL: https://issues.apache.org/jira/browse/CXF-5674
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 3.0.0-milestone2, 2.7.10
> Reporter: Yossi Cohen
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> The specification part related to "Audience Restriction" is implemented by
> CXF (opensaml) to verify syntax but it does not enforce the specification's
> rule of rejecting tokens that do not include in their "Audience Restriction"
> list of URIs - the URI of the target (this) service provider.
> It seems like a gap in open-saml (ValidatorSuite /
> saml2-core-spec-validator). The proposal is to provide the fix in CXF by
> registering a new validator to saml2-core-spec-validator that will handle
> "Audience Restriction". For BWC, by default, this all thing should be
> disabled. Developer should be able to enable it via configuration and also
> set the entity-id (URI) representing the service provider URI.
> “Audience Restriction” as described in SAML specification:
> “The <AudienceRestriction> element specifies that the assertion is addressed
> to one or more specific audiences identified by <Audience> elements. Although
> a SAML relying party that is outside the audiences specified is capable of
> drawing conclusions from an assertion, the SAML asserting party explicitly
> makes no representation as to accuracy or trustworthiness to such a party”
--
This message was sent by Atlassian JIRA
(v6.2#6252)
