|
Replies:
4
-
Last Post:
Feb 4, 2009 10:08 PM
by: jdg6688
|
|
|
|
|
|
|
SAML attributes and DisplayToken
Posted:
Jan 21, 2009 3:11 AM
|
|
|
Hi,
I'm trying to develop a Windows CardSpace complaint STS using the Metro.
When the relying party requests SAML 1 (urn:oasis:names:tc:SAML:1.0:assertion) token it works fine.
But when the relying party requests SAML 2 (urn:oasis:names:tc:SAML:2.0:assertion) tokens, the resulting SAML token does not contain saml attributes.
In both cases the RequestSecurityTokenResponse contains the following DisplayToken:
<RequestedDisplayToken:RequestedDisplayToken xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:RequestedDisplayToken="http://schemas.xmlsoap.org/ws/2005/05/identity">
<DisplayToken>
<DisplayClaim Uri="http://namespace/localPart" xmlns="" xmlns:ns12="http://schemas.xmlsoap.org/ws/2005/05/identity">
<ns12:DisplayTag>localPart</ns12:DisplayTag>
<ns12:DisplayValue>string1</ns12:DisplayValue>
</DisplayClaim>
<DisplayClaim Uri="http://sun.com/token-requestor" xmlns="" xmlns:ns12="http://schemas.xmlsoap.org/ws/2005/05/identity">
<ns12:DisplayTag>token-requestor</ns12:DisplayTag>
<ns12:DisplayValue>authenticated</ns12:DisplayValue>
</DisplayClaim>
</DisplayToken>
</RequestedDisplayToken:RequestedDisplayToken>
So the attributes are obviously processed by the STS.
Also Windows CardSpace says "The card contents are not available in a format that you can examine." despite the returned DisplayToken.
Why are the attributes not in SAML 2 token?
Thanks in advance.
regards
robert
|
|
|
|
|
|
|
Re: SAML attributes and DisplayToken
Posted:
Jan 21, 2009 11:29 PM
in response to: wierob
|
|
|
So let's get things straight:
1. You have a custom STSAttributeProvider.
2. You use ICContractImpl with CardSpace
3. For SAML 2.0, the attributes returned from your STSAttributeProvider are not
contained in the assertion, but reflected in the DisplayToken.
If this is the case, it is likely a bug in the default saml token provider.
Please file an issue in Metro IssueTracker:
https://wsit.dev.java.net/servlets/ProjectIssues
|
|
|
|
|
|
|
|
|
Re: SAML attributes and DisplayToken
Posted:
Jan 24, 2009 11:01 AM
in response to: jdg6688
|
|
|
Hi,
this might be the the same issue as https://wsit.dev.java.net/issues/show_bug.cgi?id=1083.
I've looked in the code of the com.sun.xml.ws.security.trust.impl.DefaultSAMLTokenProvider, it seems that the code to add the attributes to the token is commented out.
Regarding the DisplayToken:
The DisplayToken generated by Metro
<RequestedDisplayToken:RequestedDisplayToken xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:RequestedDisplayToken="http://schemas.xmlsoap.org/ws/2005/05/identity">
<DisplayToken>
<DisplayClaim Uri="http://namespace/localPart" xmlns="" xmlns:ns12="http://schemas.xmlsoap.org/ws/2005/05/identity">
<ns12:DisplayTag>localPart</ns12:DisplayTag>
<ns12:DisplayValue>string1</ns12:DisplayValue>
</DisplayClaim>
<DisplayClaim Uri="http://sun.com/token-requestor" xmlns="" xmlns:ns12="http://schemas.xmlsoap.org/ws/2005/05/identity">
<ns12:DisplayTag>token-requestor</ns12:DisplayTag>
<ns12:DisplayValue>authenticated</ns12:DisplayValue>
</DisplayClaim>
</DisplayToken>
</RequestedDisplayToken:RequestedDisplayToken>
is not correct:
- The default namespace declaration for DisplayClaim is an empty string.
- Regarding http://schemas.xmlsoap.org/ws/2005/05/identity/Identity_Selector_Interoperability_Profile_V1.5.pdf DisplayToken must have a xml:lang attribute.
regards
robert
|
|
|
|
|
|
|
|
|
Re: SAML attributes and DisplayToken
Posted:
Jan 26, 2009 11:34 AM
in response to: wierob
|
|
|
> Hi,
>
> this might be the the same issue as
> https://wsit.dev.java.net/issues/show_bug.cgi?id=1083.
Yes it it the same issue. We are fixing it.
>
> I've looked in the code of the
> com.sun.xml.ws.security.trust.impl.DefaultSAMLTokenPro
> vider, it seems that the code to add the attributes
> to the token is commented out.
>
> Regarding the DisplayToken:
>
> The DisplayToken generated by Metro
> [code]
> <RequestedDisplayToken:RequestedDisplayToken
> xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity"
> xmlns:RequestedDisplayToken="http://schemas.xmlsoap.or
> g/ws/2005/05/identity">
> <DisplayToken>
> <DisplayClaim Uri="http://namespace/localPart"
> xmlns=""
> xmlns:ns12="http://schemas.xmlsoap.org/ws/2005/05/ide
> tity">
>
> ns12:DisplayTag>localPart</ns12:DisplayTag>
>
> ns12:DisplayValue>string1</ns12:DisplayValue>
> </DisplayClaim>
> <DisplayClaim Uri="http://sun.com/token-requestor"
> xmlns=""
> xmlns:ns12="http://schemas.xmlsoap.org/ws/2005/05/iden
> tity">
>
> ns12:DisplayTag>token-requestor</ns12:DisplayTag>
>
> ns12:DisplayValue>authenticated</ns12:DisplayValue>
> </DisplayClaim>
> splayToken>
> </RequestedDisplayToken:RequestedDisplayToken>
> de]
>
> is not correct:
> - The default namespace declaration for DisplayClaim
> is an empty string.
Thanks for pointing this out. We will look into it.
> - Regarding
> http://schemas.xmlsoap.org/ws/2005/05/identity/Identit
> y_Selector_Interoperability_Profile_V1.5.pdf
> DisplayToken must have a xml:lang attribute.
Ok. We will add it. In any case, Cardspace accepts it without xml:lang set.
This is Metro issues. To get timely responses, it is better to post it in Metro forum:
http://forums.java.net/jive/forum.jspa?forumID=46
Thanks!
Jiandong
|
|
|
|
|
|
|
|
java.net RSS
