[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[higgins-dev] STS Issue: SubjectNameIdentifierAttribute
|
Mike,
In the Configuration.xml file there is a setting under the DigitalIdentityHandler, TokenGeneratorHandler, and SelfTokenGeneratorHandler settings called SubjectNameIdentifierAttribute.
In DigitalIdentityHandler.java, the invoke() method always includes this URI in the list of attributes it requests from IDAS (in the alIdentityClaims variable). Because it just goes into an ArrayList, it retrieves this attribute from IDAS, just like any other value, and it is indistinguishable from other claims. This causes the returned security token to always include this attribute, even if it was not requested as a claim by the RP. We haven't noticed this issue up until now, because usually that subject name identifier attribute has been email address, and email address is usually returned as a claim. However, when it is not requested, it should not be returned as a claim, as that will be a security issue.
We probably need a fix for this issue. Would you like me to log a defect on it? or am I mistaken about this?
Thanks,
Daniel
