[jira] [Commented] (CXF-4484) Claims to SAML attribute encoding wrong

Fri, 07 Sep 2012 07:50:09 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13450676#comment-13450676
 ] 

Oliver Wulff commented on CXF-4484:
-----------------------------------

Hi Colm

The nameFormat property is token specific and should be in 
ClaimsAttributeStatementProvider instead of the token agnostic Claim class.

Oli
                
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
>                 Key: CXF-4484
>                 URL: https://issues.apache.org/jira/browse/CXF-4484
>             Project: CXF
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 2.6.2
>            Reporter: Oliver Wulff
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.5.6, 2.6.3, 2.7.0
>
>         Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims 
> to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML 
> attribute. The AttributeName is a local name and the AttributeNamespace the 
> namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says 
> what kind of format the value is of the Name attribute like uri, basic, 
> unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned 
> with the above.
> SAML 2.0
> --------
> Now:
>                      <saml2:Attribute Name="emailaddress" 
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml2:AttributeValue 
> xsi:type="xs:string">owu...@apache.org</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute 
> Name="http://schemas.mycompany.com/claims/language"; 
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml2:AttributeValue 
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
> Issue:
> - If attibute is part of 
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of 
> the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be 
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
>                      <saml2:Attribute 
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue 
> xsi:type="xs:string">owu...@apache.org</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute 
> Name="http://schemas.mycompany.com/claims/language"; 
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue 
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified 
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards 
> compatibilty in 2.6 but would like to change the default to "unspecified" for 
> 2.7.
> SAML 1.1
> --------
> Now:
>                      <saml1:Attribute AttributeName="emailaddress" 
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml1:AttributeValue 
> xsi:type="xs:string">owu...@apache.org</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute 
> AttributeName="http://schemas.mycompany.com/claims/language"; 
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml1:AttributeValue 
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
> Issue:
> - If attribute is not part of the 
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is 
> fully qualified (which it shouldn't) and the AttributeNamespace is again 
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
>                      <saml1:Attribute AttributeName="emailaddress" 
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";>
>                         <saml1:AttributeValue 
> xsi:type="xs:string">owu...@apache.org</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="language" 
> AttributeNamespace="http://schemas.mycompany.com/claims";>
>                         <saml1:AttributeValue 
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to