Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[higgins-dev] Re: Add saml:AudienceRestrictionCondition to P-Card xmlToken

I beleive this is fixed now.

Alexander Yuhimenko <AYuhimenko@xxxxxxxxxxxxxx> wrote on 04/09/2008
12:09:30 PM:

> Hello Mike,
>
> Some RP rejected P-Card xmlToken with error message like 'Audience
> Restriction is not valid'.
>
> Our PCard xmlToken doesn't have <saml:AudienceRestrictionCondition/>
> however  CardSpace generated has.
>
> According to 'A Technical Reference for Information Cards in Windows
> CardSpace v1.0 December, 2006'
> > 7.1. Token Characteristics
> >The self-issued tokens issued by the simple identity provider in
> the Windows CardSpace system have the following characteristics:
> > ....
> > • The issued token always contains the saml:Conditions element
specifying:
> > o the token validity interval using the NotBefore and NotOnOrAfter
> attributes, and
> > o the saml:AudienceRestrictionCondition element restriciting the
> token to a specific target scope (i.e., a specific recipient of the
token).
>
>
> However according to org.eclipse.higgins.sts.server.token.saml.
> TokenGeneratorHandler you add it depends on RST.getAppliesTo()
> (uriAppliesTo) properties.
>
>       if (null != uriAppliesTo) {
>          final org.apache.axiom.om.OMElement
> omAudienceRestrictionCondition = omFactory.
> createOMElement("AudienceRestrictionCondition",
>                omSAMLNamespace, omConditions);
>          final org.apache.axiom.om.OMElement omAudience = omFactory.
> createOMElement("Audience", omSAMLNamespace,
>                omAudienceRestrictionCondition);
>          omAudience.setText(uriAppliesTo.toString());
>       }
>
> But org.eclipse.higgins.sts.client.TokenRequestFactory setup it only
> for M-Card.
>
>          java.lang.Boolean boolRequireAppliesTo = null;
>          if (informationCard instanceof IManagedInformationCard)
>          {
>             boolRequireAppliesTo = ((IManagedInformationCard)
> informationCard).getRequireAppliesTo();
>          }
>          if (null != boolRequireAppliesTo)
>             bSendAppliesTo = !(boolRequireAppliesTo.booleanValue());
>          if ((null != uriRelyingParty) && (bSendAppliesTo))
>          {
>             final org.eclipse.higgins.sts.api.IAppliesTo appliesTo =
> new org.eclipse.higgins.sts.common.AppliesTo();
>             final org.eclipse.higgins.sts.api.IEndpointReference epr
> = new org.eclipse.higgins.sts.common.EndpointReference();
>             appliesTo.setEndpointReference(epr);
>             epr.setAddress(uriRelyingParty);
>             if (null != strCertificate)
>             {
>                epr.setIdentityCertificate(strCertificate);
>             }
>             rst.setAppliesTo(appliesTo);
>          }
>
>
> Would you fix it.
>
> ---
>  Thank you,
> Alexander Yuhimenko <ayuhimenko@xxxxxxxxxxxxx>

Back to the top