Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4484

Claims to SAML attribute encoding wrong

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.6.2
    • 2.5.6, 2.6.3, 2.7
    • Services
    • None
    • Unknown

    Description

      The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.

      SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).

      SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.

      The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.

      SAML 2.0
      --------

      Now:
      <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
      </saml2:Attribute>

      Issue:

      Proposal:

      <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
      </saml2:Attribute>

      You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.

      SAML 1.1
      --------

      Now:

      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
      </saml1:Attribute>
      <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
      </saml1:Attribute>

      Issue:

      Proposal:

      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
      </saml1:Attribute>
      <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
      <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
      </saml1:Attribute>

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            coheigea Colm O hEigeartaigh
            owulff Oliver Wulff
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment