What does your STS configuration look like? Colm.
On Tue, May 15, 2012 at 2:27 PM, DTaylor <[email protected]> wrote: > Hi Andrei, > > From what I can see, I'm not actually receiving any of the > AttributeStatements I requested as part of the token. There should be > AttributeStatements for: > > http://.../ws/2005/05/identity/claims/role > http://.../ws/2005/05/identity/claims/surname > http://.../ws/2005/05/identity/claims/givenname > > But from what I can see in the print out below of the token, there are no > attribute values present. When the Service is contacted, however, if I > remove the STS's capability to provide an attribute for one of those claims, > the token is rejected and the service cannot be accessed. When all of the > attribute providers are present, the token is accepted and the service and > client function correctly. > > Print out of token: > > <saml1:Assertion AssertionID="_89BE1A329735CB55B9133708789407010" > IssueInstant="2012-05-15T13:18:14.070Z" Issuer="Merge Healthcare Default > STS" MajorVersion="1" MinorVersion="1" > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="saml1:AssertionType"> > > <saml1:Conditions NotBefore="2012-05-15T13:18:14.071Z" > NotOnOrAfter="2012-05-15T13:23:14.071Z"> > > <saml1:AudienceRestrictionCondition> > > <saml1:Audience> > > > http://taylor-d-w7:12007/icc-basic-demo-service-1.0-SNAPSHOT/MergeDemo/MergeDemoService > > </saml1:Audience> > > </saml1:AudienceRestrictionCondition> > > </saml1:Conditions> > > <saml1:AttributeStatement> > > <saml1:Subject> > > <saml1:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > NameQualifier="http://cxf.apache.org/sts";> > > wsitUser > > </saml1:NameIdentifier> > > <saml1:SubjectConfirmation> > > <saml1:ConfirmationMethod> > > > urn:oasis:names:tc:SAML:1.0:cm:holder-of-key > > </saml1:ConfirmationMethod> > > <ds:KeyInfo > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <xenc:EncryptedKey > Id="EK-89BE1A329735CB55B913370878940709" > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5";> > > </xenc:EncryptionMethod> > > <ds:KeyInfo> > > > <wsse:SecurityTokenReference > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > <ds:X509Data> > > > <ds:X509IssuerSerial> > > > <ds:X509IssuerName> > > > CN=SUNCA,OU=JWS,O=SUN,ST=Some-State,C=AU > > > </ds:X509IssuerName> > > > <ds:X509SerialNumber> > > > 3 > > > </ds:X509SerialNumber> > > > </ds:X509IssuerSerial> > > </ds:X509Data> > > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue> > > > uHeOeNq3yXO7DNMbndEZO2ecAMUeixBnZKgV6JXxxDuBDla1SAl9XDODDshzYIRdxk9PoF4l1TcxRRoTfde/AFh1BdfX0X3i3NP4guSx3V962dIF0FeL5dC5m85AtUXKybkNKEkyfpd31V68xkLc05eUuH2hnY6dwSH8AVujcE4= > > </xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedKey> > > </ds:KeyInfo> > > </saml1:SubjectConfirmation> > > </saml1:Subject> > > <saml1:Attribute AttributeName="token-requestor" > AttributeNamespace="http://cxf.apache.org/sts";> > > <saml1:AttributeValue xsi:type="xs:string"> > > authenticated > > </saml1:AttributeValue> > > </saml1:Attribute> > > </saml1:AttributeStatement> > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > </ds:CanonicalizationMethod> > > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";> > > </ds:SignatureMethod> > > <ds:Reference > URI="#_89BE1A329735CB55B9133708789407010"> > > <ds:Transforms> > > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";> > > </ds:Transform> > > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > > <ec:InclusiveNamespaces > PrefixList="xs" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";> > > </ec:InclusiveNamespaces> > > </ds:Transform> > > </ds:Transforms> > > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";> > > </ds:DigestMethod> > > <ds:DigestValue> > > 2mr3d420awDJSRm2vtemryWRdt4= > > </ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue> > > > tJjV8JsPsRM9cTMrzKLas+aRtvReHE/SiY1aKW1gBzF28Zn/ekggHFswZBhVhYWof1uplV6vPKpliRuUXhi8Go9xvis2df35gBSVhd8ia6M9H8F3SeQp/uqji5qEwGaJ1iZ0c/qV74/lLTf2LWA2RDSJCRL5m7+8NyhpyKm62kU= > > </ds:SignatureValue> > > <ds:KeyInfo> > > <ds:X509Data> > > <ds:X509Certificate> > > > MIIDAzCCAmygAwIBAgIBBDANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJBVTETMBEGA1UECBMK > U29tZS1TdGF0ZTEMMAoGA1UEChMDU1VOMQwwCgYDVQQLEwNKV1MxDjAMBgNVBAMTBVNVTkNBMB4X > DTA3MDMxMzA2NTUyNVoXDTE3MDMxMDA2NTUyNVowYzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNv > bWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UECxMDU1VO > MQ4wDAYDVQQDEwVXU1NJUDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwe37mzKVC6jgJduP > fud9w8AurIhtbkW/6pHfrtpN+baCJhYVXPtHKf2+IcrPK6RxHuRFomvbd+mZY/ksPR/MWfo0uE55 > L6wMfBleQu+iSuZd7Rh37JFHp2CkWOeMfABtupzos3+VzMcoftBzRIZY9Bxy7WtZ8WJUDsnVBP1l > CI0CAwEAAaOB2zCB2DAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl > ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUGx3MiyTizFxMbMyVePSDheTY4JwwfgYDVR0jBHcwdYAU > Z7plxs6VyOOOTSFyojDV0/YYjJWhUqRQME4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 > YXRlMQwwCgYDVQQKEwNTVU4xDDAKBgNVBAsTA0pXUzEOMAwGA1UEAxMFU1VOQ0GCCQDbHkJaq6Ki > jjANBgkqhkiG9w0BAQQFAAOBgQCJpSnqYAwg92tclja7izIJsFzfQTPzwO6l/+3OAIG93deUyKls > 4VcD6uXOOnz8CXA6hwh9pLrrYi9MeWuydwd3LLzLSLK6X6VPRC07b1xuJvkLHLeJ3p9IcPVeq9/z > B94NXIiehHxDwc2pcxx10ArkRBPbACV4etG1Pnb9b5STZQ== > > </ds:X509Certificate> > > </ds:X509Data> > > </ds:KeyInfo> > > </ds:Signature> > > </saml1:Assertion> > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Accessing-Claims-in-a-client-tp5698187p5707889.html > Sent from the cxf-user mailing list archive at Nabble.com. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
