You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Pedro Alves (JIRA)" <ji...@apache.org> on 2018/11/14 12:39:00 UTC

[jira] [Created] (FEDIZ-233) spIdentifier configuration option

Pedro Alves created FEDIZ-233:
---------------------------------

             Summary: spIdentifier configuration option
                 Key: FEDIZ-233
                 URL: https://issues.apache.org/jira/browse/FEDIZ-233
             Project: CXF-Fediz
          Issue Type: Improvement
            Reporter: Pedro Alves


In org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator#validateAudienceRestrictionCondition the spIdentifier is expected to match one of the URI's in audienceRestrictions. But this spIdentifier is in fact set to the RequestState.issuerId (org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#validateSamlSSOResponse), which has been set to the realm (org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#createSignInRequest line 428).

In our particular use case, we are not using a URI to identify the realm (but rather an identifier representing a domain in our system), causing this validation to fail.

One possible solution would be to introduce a new SAML SSO optional parameter in fediz config for the spIdentifier (with the realm being taken as default value). Another possible solution I see, would be to use the assertion consumer url as the issuerId instead of the realm.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)