[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken
|
Hello,
I use self-issued card (in other world P-Card) however xmlToken for self-issued card doesn't contain 'AudienceRestrictionCondition' but must.
--
Alexander Yuhimenko <AYuhimenko@xxxxxxxxxxxxxx>
On Thu, 10 Apr 2008 02:41:10 +1000
Shane B Weeden <sweeden@xxxxxxxxxxx> wrote:
> AFAIK Mike's stuff is correct.
>
> For self-issued cards (where the IP/STS is co-located with the selector)
> and cards which have RequireAppliesTo (i.e. the RP target) sent to the
> IP/STS it is possible to include the AudienceRestrictionCondition at the
> IP/STS. If you have a managed card without RequireAppliesTo, then there is
> no way that anIP/STS can provide such an element since it is never
> informed of the target for the requested security token. The ARC should
> not be included in that case.
>
> If you have an RP which requires an AudienceRestrictionCondition, you will
> have to use either a self-issued card, or a managed card which includes
> RequireAppliesTo.
>
>
>
>
>
> Alexander Yuhimenko <AYuhimenko@xxxxxxxxxxxxxx>
> Sent by: higgins-dev-bounces@xxxxxxxxxxx
> 10/04/2008 02:09 AM
> Please respond to
> "Higgins \(Trust Framework\) Project developer discussions"
> <higgins-dev@xxxxxxxxxxx>
>
>
> To
> Michael McIntosh <mikemci@xxxxxxxxxx>
> cc
> higgins-dev@xxxxxxxxxxx
> Subject
> [higgins-dev] Add saml:AudienceRestrictionCondition to P-Card xmlToken
>
>
>
>
>
>
> Hello Mike,
>
> Some RP rejected P-Card xmlToken with error message like 'Audience
> Restriction is not valid'.
>
> Our PCard xmlToken doesn't have <saml:AudienceRestrictionCondition/>
> however CardSpace generated has.
>
> According to 'A Technical Reference for Information Cards in Windows
> CardSpace v1.0 December, 2006'
> > 7.1. Token Characteristics
> >The self-issued tokens issued by the simple identity provider in the
> Windows CardSpace system have the following characteristics:
> > ....
> > • The issued token always contains the saml:Conditions element
> specifying:
> > o the token validity interval using the NotBefore and NotOnOrAfter
> attributes, and
> > o the saml:AudienceRestrictionCondition element restriciting the token
> to a specific target scope (i.e., a specific recipient of the token).
>
>
> However according to
> org.eclipse.higgins.sts.server.token.saml.TokenGeneratorHandler you add it
> depends on RST.getAppliesTo() (uriAppliesTo) properties.
>
> if (null != uriAppliesTo) {
> final
> org.apache.axiom.om.OMElement omAudienceRestrictionCondition =
> omFactory.createOMElement("AudienceRestrictionCondition",
> omSAMLNamespace, omConditions);
> final
> org.apache.axiom.om.OMElement omAudience =
> omFactory.createOMElement("Audience", omSAMLNamespace,
> omAudienceRestrictionCondition);
> omAudience.setText(uriAppliesTo.toString());
> }
>
> But org.eclipse.higgins.sts.client.TokenRequestFactory setup it only for
> M-Card.
>
> java.lang.Boolean
> boolRequireAppliesTo = null;
> if (informationCard
> instanceof IManagedInformationCard)
> {
> boolRequireAppliesTo = ((IManagedInformationCard)
> informationCard).getRequireAppliesTo();
> }
> if (null !=
> boolRequireAppliesTo)
> bSendAppliesTo = !(boolRequireAppliesTo.booleanValue());
> if ((null !=
> uriRelyingParty) && (bSendAppliesTo))
> {
> final
> org.eclipse.higgins.sts.api.IAppliesTo appliesTo = new
> org.eclipse.higgins.sts.common.AppliesTo();
> final
> org.eclipse.higgins.sts.api.IEndpointReference epr = new
> org.eclipse.higgins.sts.common.EndpointReference();
> appliesTo.setEndpointReference(epr);
> epr.setAddress(uriRelyingParty);
> if (null
> != strCertificate)
> {
> epr.setIdentityCertificate(strCertificate);
> }
> rst.setAppliesTo(appliesTo);
> }
>
>
> Would you fix it.
>
> ---
> Thank you,
> Alexander Yuhimenko <ayuhimenko@xxxxxxxxxxxxx>
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev
>
>