Hi Andrei, >From what I can see, I'm not actually receiving any of the AttributeStatements I requested as part of the token. There should be AttributeStatements for:
http://.../ws/2005/05/identity/claims/role http://.../ws/2005/05/identity/claims/surname http://.../ws/2005/05/identity/claims/givenname But from what I can see in the print out below of the token, there are no attribute values present. When the Service is contacted, however, if I remove the STS's capability to provide an attribute for one of those claims, the token is rejected and the service cannot be accessed. When all of the attribute providers are present, the token is accepted and the service and client function correctly. Print out of token: <saml1:Assertion AssertionID="_89BE1A329735CB55B9133708789407010" IssueInstant="2012-05-15T13:18:14.070Z" Issuer="Merge Healthcare Default STS" MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="saml1:AssertionType"> <saml1:Conditions NotBefore="2012-05-15T13:18:14.071Z" NotOnOrAfter="2012-05-15T13:23:14.071Z"> <saml1:AudienceRestrictionCondition> <saml1:Audience> http://taylor-d-w7:12007/icc-basic-demo-service-1.0-SNAPSHOT/MergeDemo/MergeDemoService </saml1:Audience> </saml1:AudienceRestrictionCondition> </saml1:Conditions> <saml1:AttributeStatement> <saml1:Subject> <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="http://cxf.apache.org/sts";> wsitUser </saml1:NameIdentifier> <saml1:SubjectConfirmation> <saml1:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </saml1:ConfirmationMethod> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <xenc:EncryptedKey Id="EK-89BE1A329735CB55B913370878940709" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5";> </xenc:EncryptionMethod> <ds:KeyInfo> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName> CN=SUNCA,OU=JWS,O=SUN,ST=Some-State,C=AU </ds:X509IssuerName> <ds:X509SerialNumber> 3 </ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> uHeOeNq3yXO7DNMbndEZO2ecAMUeixBnZKgV6JXxxDuBDla1SAl9XDODDshzYIRdxk9PoF4l1TcxRRoTfde/AFh1BdfX0X3i3NP4guSx3V962dIF0FeL5dC5m85AtUXKybkNKEkyfpd31V68xkLc05eUuH2hnY6dwSH8AVujcE4= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> </saml1:SubjectConfirmation> </saml1:Subject> <saml1:Attribute AttributeName="token-requestor" AttributeNamespace="http://cxf.apache.org/sts";> <saml1:AttributeValue xsi:type="xs:string"> authenticated </saml1:AttributeValue> </saml1:Attribute> </saml1:AttributeStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";> </ds:SignatureMethod> <ds:Reference URI="#_89BE1A329735CB55B9133708789407010"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";> </ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";> </ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";> </ds:DigestMethod> <ds:DigestValue> 2mr3d420awDJSRm2vtemryWRdt4= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> tJjV8JsPsRM9cTMrzKLas+aRtvReHE/SiY1aKW1gBzF28Zn/ekggHFswZBhVhYWof1uplV6vPKpliRuUXhi8Go9xvis2df35gBSVhd8ia6M9H8F3SeQp/uqji5qEwGaJ1iZ0c/qV74/lLTf2LWA2RDSJCRL5m7+8NyhpyKm62kU= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDAzCCAmygAwIBAgIBBDANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMK U29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4X DTA3MDMxMzA2NTUyNVoXDTE3MDMxMDA2NTUyNVowYzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNv bWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VO MQ4wDAYDVQQDEwVXU1NJUDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwe37mzKVC6jgJduP fud9w8AurIhtbkW/6pHfrtpN+baCJhYVXPtHKf2+IcrPK6RxHuRFomvbd+mZY/ksPR/MWfo0uE55 L6wMfBleQu+iSuZd7Rh37JFHp2CkWOeMfABtupzos3+VzMcoftBzRIZY9Bxy7WtZ8WJUDsnVBP1l CI0CAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUGx3MiyTizFxMbMyVePSDheTY4JwwfgYDVR0jBHcwdYAU Z7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6Ki jjANBgkqhkiG9w0BAQQFAAOBgQCJpSnqYAwg92tclja7izIJsFzfQTPzwO6l/+3OAIG93deUyKls 4VcD6uXOOnz8CXA6hwh9pLrrYi9MeWuydwd3LLzLSLK6X6VPRC07b1xuJvkLHLeJ3p9IcPVeq9/z B94NXIiehHxDwc2pcxx10ArkRBPbACV4etG1Pnb9b5STZQ== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml1:Assertion> -- View this message in context: http://cxf.547215.n5.nabble.com/Accessing-Claims-in-a-client-tp5698187p5707889.html Sent from the cxf-user mailing list archive at Nabble.com.
