0 Replies Latest reply on May 26, 2016 9:38 AM by Marco Strauch

    Unsupported SAML Attributes

    Marco Strauch Newbie

      Hi,

       

      I have a Provlem when parsing SAML Assertions we have got from other clients.

      They use some elements that are not supported by picketlink and I wonder why because they are allowed and defined in schema.

       

      1. The Element: "Assertion/Conditions/ProxyRestriction". If that element occurs in the saml assertion the parser returned a "PL00062: Parser : Unknown tag: ... " Exception.

      2. Attribute Statmente with complex attribute values.

      Sample:

       

                <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">

                  <saml2:AttributeValue>

                    <PurposeOfUse xmlns="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="99-101" codeSystem="1.3.6.1.4.1.21367.3000.4.1" displayName="TREATMENT" xsi:type="CE"/>

                  </saml2:AttributeValue>

                </saml2:Attribute>


      So why do not simply return a node element for that attribute values instead of throwing an error.

       

      3. The same is for attribute values of unknown xsi:type. e.g. xsiType anyURI will throw an unknwon XSI Type error.Sample:

                <saml2:Attribute FriendlyName="XSPA Organization ID" Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

                  <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyURI">urn:oid:1.2.3</saml2:AttributeValue>

                </saml2:Attribute>

      So why do not simple handle this as string value?

       

      I would be nice if picketlink would support some factory methods or enhancement points to implement own code to handle such unsupported elements. It would make things easier to implement. Until now I have to change to original classes and replace them in the library. Or is there an easy way to override such specific methods I do not see?

       

      Regards,

       

      Marco.