[jira] [Commented] (CXF-5674) CXF Support in "Audience Restriction" of SAML 2 (SOAP)

[Colm O hEigeartaigh (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-5674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13972911#comment-13972911
 ] 

Colm O hEigeartaigh commented on CXF-5674:
------------------------------------------


I've merged a test to CXF to show how this can be done with the existing code. 
TBH I feel a OpenSAML validator is overkill for this issue. The 
SAMLAssertionValidator in WSS4J has a protected method which can be overridden 
to check the audience restrictions. See the following commit for details:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=6d272301

IMO this test-case addresses this issue fairly adequately. If you agree I will 
mark the issue as resolved, otherwise it can stay open until a patch is 
supplied.

Colm.

> CXF Support in "Audience Restriction" of SAML 2 (SOAP)
> ------------------------------------------------------
>
>                 Key: CXF-5674
>                 URL: https://issues.apache.org/jira/browse/CXF-5674
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 3.0.0-milestone2, 2.7.10
>            Reporter: Yossi Cohen
>            Assignee: Colm O hEigeartaigh
>   Original Estimate: 96h
>  Remaining Estimate: 96h
>
> The specification part related to "Audience Restriction" is implemented by 
> CXF (opensaml) to verify syntax but it does not enforce the specification's 
> rule of rejecting tokens that do not include in their "Audience Restriction" 
> list of URIs - the URI of the target (this) service provider. 
> It seems like a gap in open-saml (ValidatorSuite  / 
> saml2-core-spec-validator). The proposal is to provide the fix in CXF by 
> registering a new validator to saml2-core-spec-validator that will handle 
> "Audience Restriction". For BWC, by default, this all thing should be 
> disabled. Developer should be able to enable it via configuration and also 
> set the entity-id (URI) representing the service provider URI.
> “Audience Restriction” as described in SAML specification:
> “The <AudienceRestriction> element specifies that the assertion is addressed 
> to one or more specific audiences identified by <Audience> elements. Although 
> a SAML relying party that is outside the audiences specified is capable of 
> drawing conclusions from an assertion, the SAML asserting party explicitly 
> makes no representation as to accuracy or trustworthiness to such a party”



--
This message was sent by Atlassian JIRA
(v6.2#6252)