Pedro Alves created FEDIZ-233:
---------------------------------
Summary: spIdentifier configuration option
Key: FEDIZ-233
URL: https://issues.apache.org/jira/browse/FEDIZ-233
Project: CXF-Fediz
Issue Type: Improvement
Reporter: Pedro Alves
InĀ
org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator#validateAudienceRestrictionCondition
the spIdentifier is expected to match one of the URI's in
audienceRestrictions. But this spIdentifier is in fact set to the
RequestState.issuerId
(org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#validateSamlSSOResponse),
which has been set to the realm
(org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#createSignInRequest line
428).
In our particular use case, we are not using a URI to identify the realm (but
rather an identifier representing a domain in our system), causing this
validation to fail.
One possible solution would be to introduce a new SAML SSO optional parameter
in fediz config for the spIdentifier (with the realm being taken as default
value). Another possible solution I see, would be to use the assertion consumer
url as the issuerId instead of the realm.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
