You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Oliver Wulff <ow...@talend.com> on 2012/08/22 14:22:23 UTC
SAML 2.0 attibutes and claims naming convention
Hi there
I came across an issue in processing the claims encoded within a SAML 1.1 and 2.0 attribute statement. Right now, the ClaimsAttributeStatementProvider creates the name of an attribute like this:
SAML 2.0
Current example:
<saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
Issue:
- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">owulff@apache.org</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
</saml2:Attribute>
I'd like to change this as the attribute name should always be fully qualified and the nameformat should be used for another purposes instead of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
Here an example how ADFS does it:
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
SAML 1.1
Current example:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">owulff@apache.org</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
Issue:
- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Proposal:
<saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml1:AttributeValue xsi:type="xs:string">oliver.wulff@zurich.ch</saml1:AttributeValue>
</saml1:Attribute>
<saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
<saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
</saml1:Attribute>
The book "Windows Identity Foundation" describes it in the same way as proposed (p66):
SAML 1.1
AttributeName = <local name> (firstname)
AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>
If you are fine with this, I'll create JIRA and make the following modifications to the ClaimsAttributeStatementProvider:
You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default to "unspecified" for 2.7.
I've also discovered something in WSS4J in the SAML1ComponentBuilder which confused me a lot:
@SuppressWarnings("unchecked")
public static Attribute createSamlv1Attribute(
String attributeName,
String attributeUrn,
List<?> values
) {
if (attributeV1Builder == null) {
attributeV1Builder = (SAMLObjectBuilder<Attribute>)
builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
}
if (stringBuilder == null) {
stringBuilder = (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
}
Attribute attribute = attributeV1Builder.buildObject();
attribute.setAttributeName(attributeName);
attribute.setAttributeNamespace(attributeUrn);
@SuppressWarnings("unchecked")
public static List<AttributeStatement> createSamlv1AttributeStatement(
List<AttributeStatementBean> attributeData
)
Attribute samlAttribute =
createSamlv1Attribute(
values.getSimpleName(),
values.getQualifiedName(),
attributeValues
);
Let me know your thoughts...
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com
<http://coders.talend.com>Talend Application Integration Division http://www.talend.com
RE: SAML 2.0 attibutes and claims naming convention
Posted by Oliver Wulff <ow...@talend.com>.
I'm confused about the mapping of the qualified attribute name to the attribute namespace for SAML 1.1.
I set the qualified name in Attribute Bean of WSS4J and the simple name (local name).
Attribute samlAttribute =
createSamlv1Attribute(
values.getSimpleName(),
values.getQualifiedName(),
attributeValues
);
but this maps to
Attribute attribute = attributeV1Builder.buildObject();
attribute.setAttributeName(attributeName);
attribute.setAttributeNamespace(attributeUrn);
where attributeUrn contains the value of values.getQualifiedName().
IMHO, the namespace of the qualified name must be parsed.
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Colm O hEigeartaigh [coheigea@apache.org]
Sent: 23 August 2012 12:08
To: dev@cxf.apache.org
Subject: Re: SAML 2.0 attibutes and claims naming convention
> If you are fine with this, I'll create JIRA and make the following
modifications to the ClaimsAttributeStatementProver
Fine with me.
> I've also discovered something in WSS4J in the SAML1ComponentBuilder
which confused me a lot:
What are you confused about exactly? Mapping the AttributeBean simpleName -
> Name and qualified Name -> attribute Name? This is as a consequence of
having the same Bean for creating both SAML 1.1 and SAML 2.0 assertions.
Colm.
>
On Wed, Aug 22, 2012 at 1:22 PM, Oliver Wulff <ow...@talend.com> wrote:
> Hi there
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like this:
>
> SAML 2.0
>
> Current example:
>
> <saml2:Attribute Name="emailaddress" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the
> name of the SAML attribute is simple like "givenname" instead of fully
> qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
> <saml2:Attribute Name="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
>
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
> <saml1:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="
> http://schemas.mycompany.com/claims/language" AttributeNamespace="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName
> is fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
> <saml1:AttributeValue xsi:type="xs:string">
> oliver.wulff@zurich.ch</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
>
> The book "Windows Identity Foundation" describes it in the same way as
> proposed (p66):
> SAML 1.1
> AttributeName = <local name> (firstname)
> AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>
>
>
> If you are fine with this, I'll create JIRA and make the following
> modifications to the ClaimsAttributeStatementProvider:
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default to "unspecified"
> for 2.7.
>
>
>
>
> I've also discovered something in WSS4J in the SAML1ComponentBuilder which
> confused me a lot:
>
>
> @SuppressWarnings("unchecked")
> public static Attribute createSamlv1Attribute(
> String attributeName,
> String attributeUrn,
> List<?> values
> ) {
> if (attributeV1Builder == null) {
> attributeV1Builder = (SAMLObjectBuilder<Attribute>)
> builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
> }
> if (stringBuilder == null) {
> stringBuilder =
> (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
> }
>
> Attribute attribute = attributeV1Builder.buildObject();
> attribute.setAttributeName(attributeName);
> attribute.setAttributeNamespace(attributeUrn);
>
>
>
> @SuppressWarnings("unchecked")
> public static List<AttributeStatement> createSamlv1AttributeStatement(
> List<AttributeStatementBean> attributeData
> )
>
>
> Attribute samlAttribute =
> createSamlv1Attribute(
> values.getSimpleName(),
> values.getQualifiedName(),
> attributeValues
> );
>
>
> Let me know your thoughts...
>
> Thanks
> Oli
>
>
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: SAML 2.0 attibutes and claims naming convention
Posted by Colm O hEigeartaigh <co...@apache.org>.
> If you are fine with this, I'll create JIRA and make the following
modifications to the ClaimsAttributeStatementProver
Fine with me.
> I've also discovered something in WSS4J in the SAML1ComponentBuilder
which confused me a lot:
What are you confused about exactly? Mapping the AttributeBean simpleName -
> Name and qualified Name -> attribute Name? This is as a consequence of
having the same Bean for creating both SAML 1.1 and SAML 2.0 assertions.
Colm.
>
On Wed, Aug 22, 2012 at 1:22 PM, Oliver Wulff <ow...@talend.com> wrote:
> Hi there
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like this:
>
> SAML 2.0
>
> Current example:
>
> <saml2:Attribute Name="emailaddress" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the
> name of the SAML attribute is simple like "givenname" instead of fully
> qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
> <saml2:Attribute Name="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
>
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
> <saml1:AttributeValue xsi:type="xs:string">
> owulff@apache.org</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="
> http://schemas.mycompany.com/claims/language" AttributeNamespace="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName
> is fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
> <saml1:AttributeValue xsi:type="xs:string">
> oliver.wulff@zurich.ch</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
>
> The book "Windows Identity Foundation" describes it in the same way as
> proposed (p66):
> SAML 1.1
> AttributeName = <local name> (firstname)
> AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>
>
>
> If you are fine with this, I'll create JIRA and make the following
> modifications to the ClaimsAttributeStatementProvider:
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default to "unspecified"
> for 2.7.
>
>
>
>
> I've also discovered something in WSS4J in the SAML1ComponentBuilder which
> confused me a lot:
>
>
> @SuppressWarnings("unchecked")
> public static Attribute createSamlv1Attribute(
> String attributeName,
> String attributeUrn,
> List<?> values
> ) {
> if (attributeV1Builder == null) {
> attributeV1Builder = (SAMLObjectBuilder<Attribute>)
> builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
> }
> if (stringBuilder == null) {
> stringBuilder =
> (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
> }
>
> Attribute attribute = attributeV1Builder.buildObject();
> attribute.setAttributeName(attributeName);
> attribute.setAttributeNamespace(attributeUrn);
>
>
>
> @SuppressWarnings("unchecked")
> public static List<AttributeStatement> createSamlv1AttributeStatement(
> List<AttributeStatementBean> attributeData
> )
>
>
> Attribute samlAttribute =
> createSamlv1Attribute(
> values.getSimpleName(),
> values.getQualifiedName(),
> attributeValues
> );
>
>
> Let me know your thoughts...
>
> Thanks
> Oli
>
>
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: SAML 2.0 attibutes and claims naming convention
Posted by Oliver Wulff <ow...@talend.com>.
Hi Glen
Thanks for the feedback...
>>>
OK, a google does not show such a URI ever being used for NameFormat.
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">
>>>
The basic format is just a "simple" name and not a URI as in the case of the ClaimsAttributeStatementProvider. Therefore, the option are only "uri" or "unspecified". I've proposed unspecified because ADFS uses it as a default and TFIM did only support unspecified.
>>>
Question: i'm confused here. Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?
If this is kosher:
<saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
why isn't this?
<saml2:Attribute
Name="http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe"
>>>
That's absolutely fine for SAML 2. But the proposal was for SAML 1.1 which doesn't have a NameFormat attribute. Instead, they have only AttributeName and AttributeNamespace.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Glen Mazza [glen.mazza@gmail.com]
Sent: 22 August 2012 18:21
To: dev@cxf.apache.org
Subject: Re: SAML 2.0 attibutes and claims naming convention
Hi Oli, comments below:
Oliver Wulff-2 wrote
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like
> this:
>
> SAML 2.0
>
> Current example:
>
> <saml2:Attribute Name="emailaddress"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name
> of the SAML attribute is simple like "givenname" instead of fully
> qualified.
>
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
OK, a google does not show such a URI ever being used for NameFormat.
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">
> Proposal:
>
> <saml2:Attribute
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead
> of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">owulff@</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="http://schemas.mycompany.com/claims/language"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
> fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
Question: i'm confused here. Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?
If this is kosher:
<saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
why isn't this?
<saml2:Attribute
Name="http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe"
For example, this article:
http://answers.flyppdevportal.com/categories/azure/azuresecurity.aspx?ID=4f3eeb5f-44ba-4873-91ff-27b3c3bc50fe
has an example using fully quailfied Names with the
"http://schemas.microsoft.com/ws/2008/06/identity/claims"
non-standard namespace:
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Primary SID"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Windows account name"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
Thanks,
Glen
--
View this message in context: http://cxf.547215.n5.nabble.com/SAML-2-0-attibutes-and-claims-naming-convention-tp5712967p5712998.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: SAML 2.0 attibutes and claims naming convention
Posted by Glen Mazza <gl...@gmail.com>.
Hi Oli, comments below:
Oliver Wulff-2 wrote
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like
> this:
>
> SAML 2.0
>
> Current example:
>
> <saml2:Attribute Name="emailaddress"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name
> of the SAML attribute is simple like "givenname" instead of fully
> qualified.
>
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
OK, a google does not show such a URI ever being used for NameFormat.
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">
> Proposal:
>
> <saml2:Attribute
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
> <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
> </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead
> of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
> <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">owulff@</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="http://schemas.mycompany.com/claims/language"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
> </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
> fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
Question: i'm confused here. Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?
If this is kosher:
<saml2:Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
why isn't this?
<saml2:Attribute
Name="http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe"
For example, this article:
http://answers.flyppdevportal.com/categories/azure/azuresecurity.aspx?ID=4f3eeb5f-44ba-4873-91ff-27b3c3bc50fe
has an example using fully quailfied Names with the
"http://schemas.microsoft.com/ws/2008/06/identity/claims"
non-standard namespace:
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Primary SID"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Windows account name"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
Thanks,
Glen
--
View this message in context: http://cxf.547215.n5.nabble.com/SAML-2-0-attibutes-and-claims-naming-convention-tp5712967p5712998.html
Sent from the cxf-dev mailing list archive at Nabble.com.