Bug 5940 - schema-invalid CAS assertion
: schema-invalid CAS assertion
Status: NEW
: CAS/SAML utilities
: 4.0.4
: All All
: P3 normal
: ---
Assigned To:
  Show dependency treegraph
Reported: 2008-03-24 12:30 by
Modified: 2008-03-24 12:30 (History)



You need to log in before you can comment on or make changes to this bug.

Description From 2008-03-24 12:30:08
Looking at the assertion examples in Bug 5606, it appears that the CAS
assertion is schema-invalid:

- AuthorizationDecisionStatement/@Resource MUST be an URI
- Action/@Namespace MUST be an URI

Apparently, there are other errors as well:

- ConfirmationMethod is illegal (X509-PKI is an authentication method URI)
- NameQualifier is equal to NameIdentifier (may as well omit NameQualifier
altogether since a DN is globally unique and later versions of SAML specify
that NameQualifier SHOULD be omitted)
- NotOnOrAfter exceeds the lifetime of the proxy (by many hours).

Also, when will the CAS assertion be upgraded to SAML V1.1?  (Note that the
NameIdentifier Format currently used in the CAS assertion was deprecated in
SAML V1.1.)