SAML 2.0 attibutes and claims naming convention

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML 2.0 attibutes and claims naming convention

Oliver Wulff-2
Hi there

I came across an issue in processing the claims encoded within a SAML 1.1 and 2.0 attribute statement. Right now, the ClaimsAttributeStatementProvider creates the name of an attribute like this:

SAML 2.0

Current example:

                     <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml2:AttributeValue xsi:type="xs:string">[hidden email]</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

Issue:

- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.
- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

Proposal:

                     <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue xsi:type="xs:string">[hidden email]</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

I'd like to change this as the attribute name should always be fully qualified and the nameformat should be used for another purposes instead of http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Here an example how ADFS does it:
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/


SAML 1.1

Current example:

                     <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">[hidden email]</saml1:AttributeValue>
                     </saml1:Attribute>
                     <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
                     </saml1:Attribute>

Issue:

- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

Proposal:

                     <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">[hidden email]</saml1:AttributeValue>
                     </saml1:Attribute>
                     <saml1:Attribute AttributeName="language" AttributeNamespace="http://schemas.mycompany.com/claims">
                        <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
                     </saml1:Attribute>

The book "Windows Identity Foundation" describes it in the same way as proposed (p66):
SAML 1.1
AttributeName = <local name> (firstname)
AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>


If you are fine with this, I'll create JIRA and make the following modifications to the ClaimsAttributeStatementProvider:
You can configure which NameFormat should be used like uri or unspecified (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards compatibilty in 2.6 but would like to change the default  to "unspecified" for 2.7.




I've also discovered something in WSS4J in the SAML1ComponentBuilder which confused me a lot:


    @SuppressWarnings("unchecked")
    public static Attribute createSamlv1Attribute(
        String attributeName,
        String attributeUrn,
        List<?> values
    ) {
        if (attributeV1Builder == null) {
            attributeV1Builder = (SAMLObjectBuilder<Attribute>)
                builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
        }
        if (stringBuilder == null) {
            stringBuilder = (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
        }

        Attribute attribute = attributeV1Builder.buildObject();
        attribute.setAttributeName(attributeName);
        attribute.setAttributeNamespace(attributeUrn);



    @SuppressWarnings("unchecked")
    public static List<AttributeStatement> createSamlv1AttributeStatement(
        List<AttributeStatementBean> attributeData
    )


                    Attribute samlAttribute =
                        createSamlv1Attribute(
                            values.getSimpleName(),
                            values.getQualifiedName(),
                            attributeValues
                        );


Let me know your thoughts...

Thanks
Oli







------

Oliver Wulff

Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com

<http://coders.talend.com>Talend Application Integration Division http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 attibutes and claims naming convention

Glen Mazza
Administrator
Hi Oli, comments below:

Oliver Wulff-2 wrote
I came across an issue in processing the claims encoded within a SAML 1.1 and 2.0 attribute statement. Right now, the ClaimsAttributeStatementProvider creates the name of an attribute like this:

SAML 2.0

Current example:

                     <saml2:Attribute Name="emailaddress" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml2:AttributeValue xsi:type="xs:string">[hidden email]</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

Issue:

- If attibute is part of http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name of the SAML attribute is simple like "givenname" instead of fully qualified.

- The NameFormat should not be http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
OK, a google does not show such a URI ever being used for NameFormat.   However, just FYI, from this 2010 email: http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec, Ping Federate apparently uses a different NameFormat value from what you're recommending we switch to:

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EmailAddress">

Proposal:

                     <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue xsi:type="xs:string">[hidden email]</saml2:AttributeValue>
                     </saml2:Attribute>
                     <saml2:Attribute Name="http://schemas.mycompany.com/claims/language" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                        <saml2:AttributeValue xsi:type="xs:string">de</saml2:AttributeValue>
                     </saml2:Attribute>

I'd like to change this as the attribute name should always be fully qualified and the nameformat should be used for another purposes instead of http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Here an example how ADFS does it:
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/


SAML 1.1

Current example:

                     <saml1:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">[hidden email]</saml1:AttributeValue>
                     </saml1:Attribute>
                     <saml1:Attribute AttributeName="http://schemas.mycompany.com/claims/language" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
                        <saml1:AttributeValue xsi:type="xs:string">de</saml1:AttributeValue>
                     </saml1:Attribute>

Issue:

- If attribute is not part of the http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is fully qualified (which it shouldn't) and the AttributeNamespace is again http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
Question: i'm confused here.  Why can't/shouldn't the attribute name be fully qualified (be a full URI) if I'm not using the standard http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?  

If this is kosher:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 

why isn't this?
<saml2:Attribute Name="http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe"

For example, this article:
http://answers.flyppdevportal.com/categories/azure/azuresecurity.aspx?ID=4f3eeb5f-44ba-4873-91ff-27b3c3bc50fe

has an example using fully quailfied Names with the "http://schemas.microsoft.com/ws/2008/06/identity/claims" non-standard namespace:

    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>

Thanks,
Glen
Reply | Threaded
Open this post in threaded view
|

RE: SAML 2.0 attibutes and claims naming convention

Oliver Wulff-2
Hi Glen

Thanks for the feedback...

>>>
OK, a google does not show such a URI ever being used for NameFormat.
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:

<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">
>>>

The basic format is just a "simple" name and not a URI as in the case of the ClaimsAttributeStatementProvider. Therefore, the option are only "uri" or "unspecified". I've proposed unspecified because ADFS uses it as a default and TFIM did only support unspecified.

>>>
Question: i'm confused here.  Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?

If this is kosher:
<saml2:Attribute
Name=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;

why isn't this?
&lt;saml2:Attribute
Name=&quot;http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe&quot;
>>>
That's absolutely fine for SAML 2. But the proposal was for SAML 1.1 which doesn't have a NameFormat attribute. Instead, they have only AttributeName and AttributeNamespace.

Thanks
Oli



------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Glen Mazza [[hidden email]]
Sent: 22 August 2012 18:21
To: [hidden email]
Subject: Re: SAML 2.0 attibutes and claims naming convention

Hi Oli, comments below:


Oliver Wulff-2 wrote

>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like
> this:
>
> SAML 2.0
>
> Current example:
>
>                      <saml2:Attribute Name="emailaddress"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the name
> of the SAML attribute is simple like "givenname" instead of fully
> qualified.
>
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>

OK, a google does not show such a URI ever being used for NameFormat.
However, just FYI, from this 2010 email:
http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/291a97a1-65f9-4125-9bd8-5071b29bd5ec,
Ping Federate apparently uses a different NameFormat value from what you're
recommending we switch to:

<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
Name="EmailAddress">



> Proposal:
>
>                      <saml2:Attribute
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">owulff@</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute
> Name="http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead
> of http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">owulff@</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute
> AttributeName="http://schemas.mycompany.com/claims/language"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName is
> fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>

Question: i'm confused here.  Why can't/shouldn't the attribute name be
fully qualified (be a full URI) if I'm not using the standard
http://schemas.xmlsoap.org/ws/2005/05/identity/claims namespace?

If this is kosher:
<saml2:Attribute
Name=&quot;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;

why isn't this?
&lt;saml2:Attribute
Name=&quot;http://org.glen/ws/2005/05/identity/claims/favoritecookierecipe&quot;

For example, this article:
http://answers.flyppdevportal.com/categories/azure/azuresecurity.aspx?ID=4f3eeb5f-44ba-4873-91ff-27b3c3bc50fe

has an example using fully quailfied Names with the
&quot;http://schemas.microsoft.com/ws/2008/06/identity/claims&quot;
non-standard namespace:

    &lt;Attribute
Name=&quot;http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid&quot;
NameFormat=&quot;urn:oasis:names:tc:SAML:2.0:attrname-format:uri&quot;
FriendlyName=&quot;Primary SID&quot;
xmlns=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot;/>
    <Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
FriendlyName="Windows account name"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>

Thanks,
Glen




--
View this message in context: http://cxf.547215.n5.nabble.com/SAML-2-0-attibutes-and-claims-naming-convention-tp5712967p5712998.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: SAML 2.0 attibutes and claims naming convention

coheigea
Administrator
In reply to this post by Oliver Wulff-2
> If you are fine with this, I'll create JIRA and make the following
modifications to the ClaimsAttributeStatementProver

Fine with me.

> I've also discovered something in WSS4J in the SAML1ComponentBuilder
which confused me a lot:

What are you confused about exactly? Mapping the AttributeBean simpleName -
> Name and qualified Name -> attribute Name? This is as a consequence of
having the same Bean for creating both SAML 1.1 and SAML 2.0 assertions.

Colm.

>

On Wed, Aug 22, 2012 at 1:22 PM, Oliver Wulff <[hidden email]> wrote:

> Hi there
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like this:
>
> SAML 2.0
>
> Current example:
>
>                      <saml2:Attribute Name="emailaddress" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue xsi:type="xs:string">
> [hidden email]</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the
> name of the SAML attribute is simple like "givenname" instead of fully
> qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml2:Attribute Name="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue xsi:type="xs:string">
> [hidden email]</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
>
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> [hidden email]</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="
> http://schemas.mycompany.com/claims/language" AttributeNamespace="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName
> is fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> [hidden email]</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> The book "Windows Identity Foundation" describes it in the same way as
> proposed (p66):
> SAML 1.1
> AttributeName = <local name> (firstname)
> AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>
>
>
> If you are fine with this, I'll create JIRA and make the following
> modifications to the ClaimsAttributeStatementProvider:
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default  to "unspecified"
> for 2.7.
>
>
>
>
> I've also discovered something in WSS4J in the SAML1ComponentBuilder which
> confused me a lot:
>
>
>     @SuppressWarnings("unchecked")
>     public static Attribute createSamlv1Attribute(
>         String attributeName,
>         String attributeUrn,
>         List<?> values
>     ) {
>         if (attributeV1Builder == null) {
>             attributeV1Builder = (SAMLObjectBuilder<Attribute>)
>                 builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
>         }
>         if (stringBuilder == null) {
>             stringBuilder =
> (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
>         }
>
>         Attribute attribute = attributeV1Builder.buildObject();
>         attribute.setAttributeName(attributeName);
>         attribute.setAttributeNamespace(attributeUrn);
>
>
>
>     @SuppressWarnings("unchecked")
>     public static List<AttributeStatement> createSamlv1AttributeStatement(
>         List<AttributeStatementBean> attributeData
>     )
>
>
>                     Attribute samlAttribute =
>                         createSamlv1Attribute(
>                             values.getSimpleName(),
>                             values.getQualifiedName(),
>                             attributeValues
>                         );
>
>
> Let me know your thoughts...
>
> Thanks
> Oli
>
>
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: SAML 2.0 attibutes and claims naming convention

Oliver Wulff-2
I'm confused about the mapping of the qualified attribute name to the attribute namespace for SAML 1.1.

I set the qualified name in Attribute Bean of WSS4J and the simple name (local name).

                    Attribute samlAttribute =
                        createSamlv1Attribute(
                            values.getSimpleName(),
                            values.getQualifiedName(),
                            attributeValues
                        );

but this maps to

        Attribute attribute = attributeV1Builder.buildObject();
        attribute.setAttributeName(attributeName);
        attribute.setAttributeNamespace(attributeUrn);

where attributeUrn contains the value of values.getQualifiedName().

IMHO, the namespace of the qualified name must be parsed.

------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Colm O hEigeartaigh [[hidden email]]
Sent: 23 August 2012 12:08
To: [hidden email]
Subject: Re: SAML 2.0 attibutes and claims naming convention

> If you are fine with this, I'll create JIRA and make the following
modifications to the ClaimsAttributeStatementProver

Fine with me.

> I've also discovered something in WSS4J in the SAML1ComponentBuilder
which confused me a lot:

What are you confused about exactly? Mapping the AttributeBean simpleName -
> Name and qualified Name -> attribute Name? This is as a consequence of
having the same Bean for creating both SAML 1.1 and SAML 2.0 assertions.

Colm.

>

On Wed, Aug 22, 2012 at 1:22 PM, Oliver Wulff <[hidden email]> wrote:

> Hi there
>
> I came across an issue in processing the claims encoded within a SAML 1.1
> and 2.0 attribute statement. Right now, the
> ClaimsAttributeStatementProvider creates the name of an attribute like this:
>
> SAML 2.0
>
> Current example:
>
>                      <saml2:Attribute Name="emailaddress" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue xsi:type="xs:string">
> [hidden email]</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language" NameFormat="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> Issue:
>
> - If attibute is part of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims schema then the
> name of the SAML attribute is simple like "givenname" instead of fully
> qualified.
> - The NameFormat should not be
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml2:Attribute Name="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue xsi:type="xs:string">
> [hidden email]</saml2:AttributeValue>
>                      </saml2:Attribute>
>                      <saml2:Attribute Name="
> http://schemas.mycompany.com/claims/language"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>                         <saml2:AttributeValue
> xsi:type="xs:string">de</saml2:AttributeValue>
>                      </saml2:Attribute>
>
> I'd like to change this as the attribute name should always be fully
> qualified and the nameformat should be used for another purposes instead of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims
>
> Here an example how ADFS does it:
>
> http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
>
>
> SAML 1.1
>
> Current example:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> [hidden email]</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="
> http://schemas.mycompany.com/claims/language" AttributeNamespace="
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> Issue:
>
> - If attribute is not part of the
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims the AttributeName
> is fully qualified (which it shouldn't) and the AttributeNamespace is again
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
>
> Proposal:
>
>                      <saml1:Attribute AttributeName="emailaddress"
> AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims
> ">
>                         <saml1:AttributeValue xsi:type="xs:string">
> [hidden email]</saml1:AttributeValue>
>                      </saml1:Attribute>
>                      <saml1:Attribute AttributeName="language"
> AttributeNamespace="http://schemas.mycompany.com/claims">
>                         <saml1:AttributeValue
> xsi:type="xs:string">de</saml1:AttributeValue>
>                      </saml1:Attribute>
>
> The book "Windows Identity Foundation" describes it in the same way as
> proposed (p66):
> SAML 1.1
> AttributeName = <local name> (firstname)
> AttributeNamespace = http://schemas.../claims<UrlBlockedError.aspx>
>
>
> If you are fine with this, I'll create JIRA and make the following
> modifications to the ClaimsAttributeStatementProvider:
> You can configure which NameFormat should be used like uri or unspecified
> (Microsoft uses unspecified, Shibboleth uri). Default stays for backwards
> compatibilty in 2.6 but would like to change the default  to "unspecified"
> for 2.7.
>
>
>
>
> I've also discovered something in WSS4J in the SAML1ComponentBuilder which
> confused me a lot:
>
>
>     @SuppressWarnings("unchecked")
>     public static Attribute createSamlv1Attribute(
>         String attributeName,
>         String attributeUrn,
>         List<?> values
>     ) {
>         if (attributeV1Builder == null) {
>             attributeV1Builder = (SAMLObjectBuilder<Attribute>)
>                 builderFactory.getBuilder(Attribute.DEFAULT_ELEMENT_NAME);
>         }
>         if (stringBuilder == null) {
>             stringBuilder =
> (XSStringBuilder)builderFactory.getBuilder(XSString.TYPE_NAME);
>         }
>
>         Attribute attribute = attributeV1Builder.buildObject();
>         attribute.setAttributeName(attributeName);
>         attribute.setAttributeNamespace(attributeUrn);
>
>
>
>     @SuppressWarnings("unchecked")
>     public static List<AttributeStatement> createSamlv1AttributeStatement(
>         List<AttributeStatementBean> attributeData
>     )
>
>
>                     Attribute samlAttribute =
>                         createSamlv1Attribute(
>                             values.getSimpleName(),
>                             values.getQualifiedName(),
>                             attributeValues
>                         );
>
>
> Let me know your thoughts...
>
> Thanks
> Oli
>
>
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division
> http://www.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com