Hi Oli, comments below:
Oliver Wulff-2 wrote > > I came across an issue in processing the claims encoded within a SAML 1.1 > and 2.0 attribute statement. Right now, the > ClaimsAttributeStatementProvider creates the name of an attribute like > this: > > SAML 2.0 > > Current example: > > <saml2:Attribute Name="emailaddress" > NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";> > <saml2:AttributeValue > xsi:type="xs:string">owulff@</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute > Name="http://schemas.mycompany.com/claims/language"; > NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";> > <saml2:AttributeValue > xsi:type="xs:string">de</saml2:AttributeValue> > </saml2:Attribute> > > Issue: > > - If attibute is part of > http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name > of the SAML attribute is simple like "givenname" instead of fully > qualified. > > - The NameFormat should not be > http://schemas.xmlsoap.org/ws/2005/05/identity/claims. > OK, a google does not show such a URI ever being used for NameFormat. However, just FYI, from this 2010 email: http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec, Ping Federate apparently uses a different NameFormat value from what you're recommending we switch to: <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EmailAddress"> > Proposal: > > <saml2:Attribute > Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> > <saml2:AttributeValue > xsi:type="xs:string">owulff@</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute > Name="http://schemas.mycompany.com/claims/language"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> > <saml2:AttributeValue > xsi:type="xs:string">de</saml2:AttributeValue> > </saml2:Attribute> > > I'd like to change this as the attribute name should always be fully > qualified and the nameformat should be used for another purposes instead > of http://schemas.xmlsoap.org/ws/2005/05/identity/claims > > Here an example how ADFS does it: > http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/ > > > SAML 1.1 > > Current example: > > <saml1:Attribute AttributeName="emailaddress" > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";> > <saml1:AttributeValue > xsi:type="xs:string">owulff@</saml1:AttributeValue> > </saml1:Attribute> > <saml1:Attribute > AttributeName="http://schemas.mycompany.com/claims/language"; > AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims";> > <saml1:AttributeValue > xsi:type="xs:string">de</saml1:AttributeValue> > </saml1:Attribute> > > Issue: > > - If attribute is not part of the > http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is > fully qualified (which it shouldn't) and the AttributeNamespace is again > http://schemas.xmlsoap.org/ws/2005/05/identity/claims. > Question: i'm confused here. Why can't/shouldn't the attribute name be fully qualified (be a full URI) if I'm not using the standard http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace? If this is kosher: <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" why isn't this? <saml2:Attribute Name="http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe" For example, this article: http://answers.flyppdevportal.com/categories/azure/azuresecurity.aspx?ID=4f3eeb5f-44ba-4873-91ff-27b3c3bc50fe has an example using fully quailfied Names with the "http://schemas.microsoft.com/ws/2008/06/identity/claims" non-standard namespace: <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/> Thanks, Glen -- View this message in context: http://cxf.547215.n5.nabble.com/SAML-2-0-attibutes-and-claims-naming-convention-tp5712967p5712998.html Sent from the cxf-dev mailing list archive at Nabble.com.
