[
https://issues.apache.org/jira/browse/CXF-5674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14281252#comment-14281252
]
Yossi Cohen commented on CXF-5674:
----------------------------------
Good news! Thank you Colm.
On Fri, Jan 16, 2015 at 4:57 PM, Colm O hEigeartaigh (JIRA) <j...@apache.org
--
*Best Regards,*
*Yossi Cohen*
*(+972-52-5522694)*
> CXF Support in "Audience Restriction" of SAML 2 (SOAP)
> ------------------------------------------------------
>
> Key: CXF-5674
> URL: https://issues.apache.org/jira/browse/CXF-5674
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 3.0.0-milestone2, 2.7.10
> Reporter: Yossi Cohen
> Assignee: Colm O hEigeartaigh
> Fix For: 3.0.4, 2.7.15
>
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> The specification part related to "Audience Restriction" is implemented by
> CXF (opensaml) to verify syntax but it does not enforce the specification's
> rule of rejecting tokens that do not include in their "Audience Restriction"
> list of URIs - the URI of the target (this) service provider.
> It seems like a gap in open-saml (ValidatorSuite /
> saml2-core-spec-validator). The proposal is to provide the fix in CXF by
> registering a new validator to saml2-core-spec-validator that will handle
> "Audience Restriction". For BWC, by default, this all thing should be
> disabled. Developer should be able to enable it via configuration and also
> set the entity-id (URI) representing the service provider URI.
> “Audience Restriction” as described in SAML specification:
> “The <AudienceRestriction> element specifies that the assertion is addressed
> to one or more specific audiences identified by <Audience> elements. Although
> a SAML relying party that is outside the audiences specified is capable of
> drawing conclusions from an assertion, the SAML asserting party explicitly
> makes no representation as to accuracy or trustworthiness to such a party”
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
