You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/11/14 14:25:00 UTC

[jira] [Assigned] (FEDIZ-233) spIdentifier configuration option

     [ https://issues.apache.org/jira/browse/FEDIZ-233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh reassigned FEDIZ-233:
-----------------------------------------

    Assignee: Colm O hEigeartaigh

> spIdentifier configuration option
> ---------------------------------
>
>                 Key: FEDIZ-233
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-233
>             Project: CXF-Fediz
>          Issue Type: Improvement
>            Reporter: Pedro Alves
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> In org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator#validateAudienceRestrictionCondition the spIdentifier is expected to match one of the URI's in audienceRestrictions. But this spIdentifier is in fact set to the RequestState.issuerId (org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#validateSamlSSOResponse), which has been set to the realm (org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#createSignInRequest line 428).
> In our particular use case, we are not using a URI to identify the realm (but rather an identifier representing a domain in our system), causing this validation to fail.
> One possible solution would be to introduce a new SAML SSO optional parameter in fediz config for the spIdentifier (with the realm being taken as default value). Another possible solution I see, would be to use the assertion consumer url as the issuerId instead of the realm.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)