[higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken

From: Alexander Yuhimenko <AYuhimenko@xxxxxxxxxxxxxx>
Date: Wed, 9 Apr 2008 19:09:30 +0300
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

Hello Mike,

Some RP rejected P-Card xmlToken with error message like 'Audience Restriction is not valid'.

Our PCard xmlToken doesn't have <saml:AudienceRestrictionCondition/>  however  CardSpace generated has.

According to 'A Technical Reference for Information Cards in Windows CardSpace v1.0 December, 2006' 
> 7.1. Token Characteristics
>The self-issued tokens issued by the simple identity provider in the Windows CardSpace system have the following characteristics:
> ....
> • The issued token always contains the saml:Conditions element specifying:
> o the token validity interval using the NotBefore and NotOnOrAfter attributes, and
> o the saml:AudienceRestrictionCondition element restriciting the token to a specific target scope (i.e., a specific recipient of the token).


However according to org.eclipse.higgins.sts.server.token.saml.TokenGeneratorHandler you add it depends on RST.getAppliesTo() (uriAppliesTo) properties.

		if (null != uriAppliesTo) {
			final org.apache.axiom.om.OMElement omAudienceRestrictionCondition = omFactory.createOMElement("AudienceRestrictionCondition",
					omSAMLNamespace, omConditions);
			final org.apache.axiom.om.OMElement omAudience = omFactory.createOMElement("Audience", omSAMLNamespace,
					omAudienceRestrictionCondition);
			omAudience.setText(uriAppliesTo.toString());
		}

But org.eclipse.higgins.sts.client.TokenRequestFactory setup it only for M-Card.

			java.lang.Boolean boolRequireAppliesTo = null;
			if (informationCard instanceof IManagedInformationCard)
			{
				boolRequireAppliesTo = ((IManagedInformationCard) informationCard).getRequireAppliesTo();
			}
			if (null != boolRequireAppliesTo)
				bSendAppliesTo = !(boolRequireAppliesTo.booleanValue());
			if ((null != uriRelyingParty) && (bSendAppliesTo))
			{
				final org.eclipse.higgins.sts.api.IAppliesTo appliesTo = new org.eclipse.higgins.sts.common.AppliesTo();
				final org.eclipse.higgins.sts.api.IEndpointReference epr = new org.eclipse.higgins.sts.common.EndpointReference();
				appliesTo.setEndpointReference(epr);
				epr.setAddress(uriRelyingParty);
				if (null != strCertificate)
				{
					epr.setIdentityCertificate(strCertificate);
				}
				rst.setAppliesTo(appliesTo);
			}


Would you fix it.
		
---
 Thank you,
Alexander Yuhimenko <ayuhimenko@xxxxxxxxxxxxx>

Follow-Ups:
- [higgins-dev] Re: Add saml:AudienceRestrictionCondition to P-Card xmlToken
  - From: Michael McIntosh
- Re: [higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken
  - From: Shane B Weeden

Prev by Date: [higgins-dev] Higgins 1.0.1 bug fix release - Status Update for Wed 9-April-08
Next by Date: Re: [higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken
Previous by thread: [higgins-dev] Higgins 1.0.1 bug fix release - Status Update for Wed 9-April-08
Next by thread: Re: [higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken
Index(es):
- Date
- Thread

Breadcrumbs