Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken

AFAIK Mike's stuff is correct.

For self-issued cards (where the IP/STS is co-located with the selector) and cards which have RequireAppliesTo (i.e. the RP target) sent to the IP/STS it is possible to include the AudienceRestrictionCondition at the IP/STS. If you have a managed card without RequireAppliesTo, then there is no way that anIP/STS can provide such an element since it is never informed of the target for the requested security token. The ARC should not be included in that case.

If you have an RP which requires an AudienceRestrictionCondition, you will have to use either a self-issued card, or a managed card which includes RequireAppliesTo.




Alexander Yuhimenko <AYuhimenko@xxxxxxxxxxxxxx>
Sent by: higgins-dev-bounces@xxxxxxxxxxx

10/04/2008 02:09 AM

Please respond to
"Higgins \(Trust Framework\) Project developer discussions"        <higgins-dev@xxxxxxxxxxx>
To
Michael McIntosh <mikemci@xxxxxxxxxx>
cc
higgins-dev@xxxxxxxxxxx
Subject
[higgins-dev] Add saml:AudienceRestrictionCondition to P-Card        xmlToken





Hello Mike,

Some RP rejected P-Card xmlToken with error message like 'Audience Restriction is not valid'.

Our PCard xmlToken doesn't have <saml:AudienceRestrictionCondition/>  however  CardSpace generated has.

According to 'A Technical Reference for Information Cards in Windows CardSpace v1.0 December, 2006'
> 7.1. Token Characteristics
>The self-issued tokens issued by the simple identity provider in the Windows CardSpace system have the following characteristics:
> ....
> • The issued token always contains the saml:Conditions element specifying:
> o the token validity interval using the NotBefore and NotOnOrAfter attributes, and
> o the saml:AudienceRestrictionCondition element restriciting the token to a specific target scope (i.e., a specific recipient of the token).


However according to org.eclipse.higgins.sts.server.token.saml.TokenGeneratorHandler you add it depends on RST.getAppliesTo() (uriAppliesTo) properties.

                                 if (null != uriAppliesTo) {
                                                  final org.apache.axiom.om.OMElement omAudienceRestrictionCondition = omFactory.createOMElement("AudienceRestrictionCondition",
                                                                                    omSAMLNamespace, omConditions);
                                                  final org.apache.axiom.om.OMElement omAudience = omFactory.createOMElement("Audience", omSAMLNamespace,
                                                                                    omAudienceRestrictionCondition);
                                                  omAudience.setText(uriAppliesTo.toString());
                                 }

But org.eclipse.higgins.sts.client.TokenRequestFactory setup it only for M-Card.

                                                  java.lang.Boolean boolRequireAppliesTo = null;
                                                  if (informationCard instanceof IManagedInformationCard)
                                                  {
                                                                   boolRequireAppliesTo = ((IManagedInformationCard) informationCard).getRequireAppliesTo();
                                                  }
                                                  if (null != boolRequireAppliesTo)
                                                                   bSendAppliesTo = !(boolRequireAppliesTo.booleanValue());
                                                  if ((null != uriRelyingParty) && (bSendAppliesTo))
                                                  {
                                                                   final org.eclipse.higgins.sts.api.IAppliesTo appliesTo = new org.eclipse.higgins.sts.common.AppliesTo();
                                                                   final org.eclipse.higgins.sts.api.IEndpointReference epr = new org.eclipse.higgins.sts.common.EndpointReference();
                                                                   appliesTo.setEndpointReference(epr);
                                                                   epr.setAddress(uriRelyingParty);
                                                                   if (null != strCertificate)
                                                                   {
                                                                                    epr.setIdentityCertificate(strCertificate);
                                                                   }
                                                                   rst.setAppliesTo(appliesTo);
                                                  }


Would you fix it.
                                 
---
Thank you,
Alexander Yuhimenko <ayuhimenko@xxxxxxxxxxxxx>
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

Back to the top