Description
The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
SAML 2.0
--------
Now:
<saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
SAML 1.1
--------
Now:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Attachments
Attachments
Issue Links
- is related to
-
CXF-4560 Default JAX-RS SAML Claim NameFormat is incorrect
- Closed