Hi, > Is the specification part related to "Audience Restriction" implemented by CXF such that if a SAML token in SOAP request does > not contain the "correct" audience restriction URI then the SAML token validation will fail? How does CXF determine the > audience restriction URI of the service provider?
It is not implemented - for the reason you outline. If you wish to support this kind of functionality, you need to extend the SamlAssertionValidator in WSS4J + override the "checkConditions(AssertionWrapper)" method. You can get the audience restriction URIs from "assertion.getSaml2().getConditions().getAudienceRestrictions()" etc. Here is the SamlAssertionValidator: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?view=markup Here is a spring example of how to override the SamlAssertionValidator via the "ws-security.saml2.validator" jaxws-property. Colm. On Wed, Apr 2, 2014 at 1:14 PM, Yossi Cohen <[email protected]> wrote: > Hi, > > We are implementing SOAP web services using CXF 2.7.8 / WSS4J SAML 2.0 > implementation. > > Question: > Is the specification part related to "Audience Restriction" implemented by > CXF such that if a SAML token in SOAP request does not contain the > "correct" audience restriction URI then the SAML token validation will > fail? How does CXF determine the audience restriction URI of the service > provider? > > "Audience Restriction" as described in SAML specification: > > "The <AudienceRestriction> element specifies that the assertion is > addressed to one or more specific audiences identified by <Audience> > elements. Although a SAML relying party that is outside the audiences > specified is capable of drawing conclusions from an assertion, the SAML > asserting party explicitly makes no representation as to accuracy or > trustworthiness to such a party" > > Best Regards, > > Yossi Cohen > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > you may review at http://www.amdocs.com/email_disclaimer.asp > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
