Hi guys
I'd like to look into the following JIRA: https://issues.apache.org/jira/browse/CXF-3522 The CXF service provider gets a SAML token which contains an AttributeStatement with claims information. One claim can be the roles. An initial fix (maybe I create a seperate JIRA) shall only look for the claim which provides the role information thus we can instantiate the SecurityContext and provide the role information. I'd like to discuss one open point with respect how to represent several roles in a SAML token. Right now, the CXF STS separates them by using a semicolon. I've verified what Microsoft is doing in this regard and found the following: http://blogs.msdn.com/b/sameersurve/archive/2012/01/19/how-sharepoint-2010-handles-multi-valued-claims.aspx I'd go with the same approach to support the following two: <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"; AttributeName="groups"> <saml:AttributeValue>Value1</saml:AttributeValue> <saml:AttributeValue>Value2</saml:AttributeValue> </saml:Attribute> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"; AttributeName="groups"> <saml:AttributeValue>Value1</saml:AttributeValue> </saml:Attribute> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"; AttributeName="groups"> <saml:AttributeValue>Value2</saml:AttributeValue> </saml:Attribute> but for backwards compatibility also support to separate the values by a separator like ";". I'd add two properties for an endpoint to tell the URI of the attribute which provides the role information (with some default) and optionally the separator. I'll add this functionality to the STS as well. The STS will then allow to configure how to encode multi-value claims like "MULTI_VALUE", "MULTI_CLAIM" or "SEPARATOR". Thoughts? Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> Solution Architect http://coders.talend.com <http://coders.talend.com>Talend Application Integration Division http://www.talend.com
