Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4448

Allow custom Audiences in SAML Assertions

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0
    • Fix Version/s: 13.5.2, 14.5.0
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      Currently OpenAM SAML assertion <AudienceRestrictions> element contains only one <Audience> element (the SP's identifier).
      Saml-core-2.0-os standard provides opportunity to expand the Audience list, but currently there is no way for the Audience list to be set other than SP id.
      In cases when SP sends SAML Bearer Assertion to get an OAuth token will fail if OAuth server is a different host, because Assertion's Audience list must contain the addressed OAuth server (from draft-ietf-oauth-saml2-bearer-21: "Assertions that do not identify the Authorization Server as an intended audience MUST be rejected.")

      This can be done by adding a new parameter "audienceUri" to the Extended SP Metadata and modify getConditions() method in IDPSSOUtil.java. The attached patch allow to add one more Audience uri to the Assertion's Audience list.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sfraser Sam Fraser
                Reporter:
                gabor.hollosi gabor.hollosi
              • Votes:
                2 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 6h
                  6h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 6h
                  6h