Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4484

Claims to SAML attribute encoding wrong

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.2
    • Fix Version/s: 2.5.6, 2.6.3, 2.7
    • Component/s: Services
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.

      SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).

      SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.

      The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.

      SAML 2.0
      --------

      Now:
      <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
      </saml2:Attribute>

      Issue:

      Proposal:

      <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
      </saml2:Attribute>

      You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.

      SAML 1.1
      --------

      Now:

      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
      </saml1:Attribute>
      <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
      </saml1:Attribute>

      Issue:

      Proposal:

      <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
      <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
      </saml1:Attribute>
      <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
      <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
      </saml1:Attribute>

        Attachments

        1. cxf-4484.patch
          19 kB
          Colm O hEigeartaigh

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                owulff Oliver Wulff
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: