Bug 5940 – schema-invalid CAS assertion

Bug 5940 - schema-invalid CAS assertion

Summary:

schema-invalid CAS assertion

Status:	NEW

Product:	CAS/SAML utilities
Component:	CAS
Version:	4.0.4
Platform:	All All

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Rachana Ananthakrishnan

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-03-24 12:30 by Tom Scavo
Modified:	2008-03-24 12:30 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tom Scavo 2008-03-24 12:30:08

Looking at the assertion examples in Bug 5606, it appears that the CAS
assertion is schema-invalid:

- AuthorizationDecisionStatement/@Resource MUST be an URI
- Action/@Namespace MUST be an URI

Apparently, there are other errors as well:

- ConfirmationMethod is illegal (X509-PKI is an authentication method URI)
- NameQualifier is equal to NameIdentifier (may as well omit NameQualifier
altogether since a DN is globally unique and later versions of SAML specify
that NameQualifier SHOULD be omitted)
- NotOnOrAfter exceeds the lifetime of the proxy (by many hours).

Also, when will the CAS assertion be upgraded to SAML V1.1?  (Note that the
NameIdentifier Format currently used in the CAS assertion was deprecated in
SAML V1.1.)