Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4484

Claims to SAML attribute encoding wrong

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.6.2
    • 2.5.6, 2.6.3, 2.7
    • Services
    • None
    • Unknown

    Description

      The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.

      SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).

      SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.

      The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.

      SAML 2.0
      --------

      Now:
      <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
      </saml2:Attribute>

      Issue:

      Proposal:

      <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
      </saml2:Attribute>

      You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.

      SAML 1.1
      --------

      Now:

      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
      </saml1:Attribute>
      <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
      </saml1:Attribute>

      Issue:

      Proposal:

      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
      </saml1:Attribute>
      <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
      <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
      </saml1:Attribute>

      Attachments

        1. cxf-4484.patch
          19 kB
          Colm O hEigeartaigh

        Issue Links

          Activity

            People

              coheigea Colm O hEigeartaigh
              owulff Oliver Wulff
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: