[
https://issues.apache.org/jira/browse/FEDIZ-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16606931#comment-16606931
]
ASF GitHub Bot commented on FEDIZ-218:
--------------------------------------
coheigea closed pull request #28: [FEDIZ-218] Support SAML Token without
Audience Restriction
URL: https://github.com/apache/cxf-fediz/pull/28
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index c92da54f..7fd308c2 100644
---
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -269,7 +269,7 @@ private void validateAudienceRestrictionCondition(
throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
}
List<AudienceRestriction> audienceRestrs =
conditions.getAudienceRestrictions();
- if (!matchSaml2AudienceRestriction(spIdentifier, audienceRestrs)) {
+ if (!audienceRestrs.isEmpty() &&
!matchSaml2AudienceRestriction(spIdentifier, audienceRestrs)) {
LOG.debug("Assertion does not contain unique subject provider
identifier "
+ spIdentifier + " in the audience restriction
conditions");
throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Support SAML Token without Audience Restriction in plugin
> ---------------------------------------------------------
>
> Key: FEDIZ-218
> URL: https://issues.apache.org/jira/browse/FEDIZ-218
> Project: CXF-Fediz
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 1.4.3
> Reporter: Arnaud MERGEY
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> FEDIZ-168 descrived Fediz only supported SAML with an audience restriction.
> It said
> _Fediz Plugin should accept SAML token without audience restrictions as valid
> (if all other security requirements are met) and the Fediz IDP should be
> configurable to request SAML token from the STS without audience
> restrictions._
> It seems it was fixed on IDP side, but not on plugin side as SAML token
> without audience restriction is not accepted.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
