You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Oliver Wulff (JIRA)" <ji...@apache.org> on 2012/08/23 17:10:42 UTC
[jira] [Created] (CXF-4484) Claims to SAML attribute encoding wrong
Oliver Wulff created CXF-4484:
---------------------------------
Summary: Claims to SAML attribute encoding wrong
Key: CXF-4484
URL: https://issues.apache.org/jira/browse/CXF-4484
Project: CXF
Issue Type: Bug
Components: Services
Affects Versions: 2.6.2
Reporter: Oliver Wulff
The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
SAML 2.0
--------
Now:
<saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
SAML 1.1
--------
Now:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">oliver.wulff@zurich.ch</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4484) Claims to SAML attribute encoding wrong
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated CXF-4484:
-------------------------------------
Fix Version/s: 2.7.0
2.6.3
2.5.6
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
> Assignee: Colm O hEigeartaigh
> Fix For: 2.5.6, 2.6.3, 2.7.0
>
> Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4484) Claims to SAML attribute encoding
wrong
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-4484.
--------------------------------------
Resolution: Fixed
Note that 2.6.x and 2.5.x retain the old behaviour for backwards compatibility. It is necessary to explicitly plug in the CorrectedClaimsAttributeStatementProvider to the SAMLTokenProvider to get the correct formatting.
Colm.
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
> Assignee: Colm O hEigeartaigh
> Fix For: 2.5.6, 2.6.3, 2.7.0
>
> Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4484) Claims to SAML attribute encoding wrong
Posted by "Oliver Wulff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oliver Wulff updated CXF-4484:
------------------------------
Description:
The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
SAML 2.0
--------
Now:
<saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
SAML 1.1
--------
Now:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
was:
The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
SAML 2.0
--------
Now:
<saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
SAML 1.1
--------
Now:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">oliver.wulff@zurich.ch</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (CXF-4484) Claims to SAML attribute encoding
wrong
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned CXF-4484:
----------------------------------------
Assignee: Colm O hEigeartaigh
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
> Assignee: Colm O hEigeartaigh
> Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CXF-4484) Claims to SAML attribute encoding wrong
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh updated CXF-4484:
-------------------------------------
Attachment: cxf-4484.patch
Hi Oli,
Could you review the attached patch? It fixes all three issues on trunk.
The "namespace" property of the "Claim" class now only applies to SAML 1.1 Assertions, and is null by default. If null then the namespace is extracted from the claimType URI. If non-null, then the claimType is normalized against it as before.
The Claim class now has a nameFormat property which is used for SAML 2.0 Assertions - the default is to use "unspecified".
For earlier branches I will just add the changed AttributeProvider to source so users can use that instead and @deprecate the other implementation.
Colm.
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
> Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4484) Claims to SAML attribute encoding
wrong
Posted by "Oliver Wulff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13450676#comment-13450676 ]
Oliver Wulff commented on CXF-4484:
-----------------------------------
Hi Colm
The nameFormat property is token specific and should be in ClaimsAttributeStatementProvider instead of the token agnostic Claim class.
Oli
> Claims to SAML attribute encoding wrong
> ---------------------------------------
>
> Key: CXF-4484
> URL: https://issues.apache.org/jira/browse/CXF-4484
> Project: CXF
> Issue Type: Bug
> Components: Services
> Affects Versions: 2.6.2
> Reporter: Oliver Wulff
> Assignee: Colm O hEigeartaigh
> Fix For: 2.5.6, 2.6.3, 2.7.0
>
> Attachments: cxf-4484.patch
>
>
> The ClaimsAttributeStatementProvider is responsible to transform the claims to a SAML attribute.
> SAML 1.1 provides an AttributeName and AttributeNamespace to name a SAML attribute. The AttributeName is a local name and the AttributeNamespace the namespace. Both values form a qualified name (uri).
> SAML 2.0 has only the Name attribute and a NameFormat whereas the latter says what kind of format the value is of the Name attribute like uri, basic, unspecified or custom.
> The current encoding in the ClaimsAttributeStatementProvider is not aligned with the above.
> SAML 2.0
> --------
> Now:
> <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> Issue:
> - If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
> - The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
> You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
> SAML 1.1
> --------
> Now:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
> Issue:
> - If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
> Proposal:
> <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira