[
https://issues.apache.org/jira/browse/FEDIZ-233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh reassigned FEDIZ-233:
-----------------------------------------
Assignee: Colm O hEigeartaigh
> spIdentifier configuration option
> ---------------------------------
>
> Key: FEDIZ-233
> URL: https://issues.apache.org/jira/browse/FEDIZ-233
> Project: CXF-Fediz
> Issue Type: Improvement
> Reporter: Pedro Alves
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> InĀ
> org.apache.cxf.fediz.core.samlsso.SAMLSSOResponseValidator#validateAudienceRestrictionCondition
> the spIdentifier is expected to match one of the URI's in
> audienceRestrictions. But this spIdentifier is in fact set to the
> RequestState.issuerId
> (org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#validateSamlSSOResponse),
> which has been set to the realm
> (org.apache.cxf.fediz.core.processor.SAMLProcessorImpl#createSignInRequest
> line 428).
> In our particular use case, we are not using a URI to identify the realm (but
> rather an identifier representing a domain in our system), causing this
> validation to fail.
> One possible solution would be to introduce a new SAML SSO optional parameter
> in fediz config for the spIdentifier (with the realm being taken as default
> value). Another possible solution I see, would be to use the assertion
> consumer url as the issuerId instead of the realm.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
