Java Code Examples for org.opensaml.core.xml.XMLObject#getDOM()

The following examples show how to use org.opensaml.core.xml.XMLObject#getDOM() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SamlMessageUtil.java    From armeria with Apache License 2.0 6 votes vote down vote up
static Element serialize(XMLObject message) {
    requireNonNull(message, "message");

    if (message.getDOM() != null) {
        // Return cached DOM if it exists.
        return message.getDOM();
    }

    final Marshaller marshaller =
            XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(message);
    if (marshaller == null) {
        throw new SamlException("failed to serialize a SAML object into an XML document, " +
                                "no serializer registered for message object: " +
                                message.getElementQName());
    }

    try {
        return marshaller.marshall(message);
    } catch (MarshallingException e) {
        throw new SamlException("failed to serialize a SAML object into an XML document", e);
    }
}
 
Example 2
Source File: ActAsValidator.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    Credential validatedCredential = super.validate(credential, data);
    SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();

    Assertion saml2Assertion = assertion.getSaml2();
    if (saml2Assertion == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    // The technical user should be in the Subject
    Subject subject = saml2Assertion.getSubject();
    if (subject == null || subject.getNameID() == null
        || !subject.getNameID().getValue().contains("www.client.com")) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    for (AttributeStatement statement : attributeStatements) {
        List<Attribute> attributes = statement.getAttributes();
        for (Attribute attribute : attributes) {
            if (!"CustomActAs".equals(attribute.getName()) && !"ActAs".equals(attribute.getName())) {
                continue;
            }
            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String text = attributeValueElement.getTextContent();
                if (text.contains("alice") || text.contains("bob")) {
                    return validatedCredential;
                }
            }
        }
    }

    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
 
Example 3
Source File: ClaimsValidator.java    From cxf with Apache License 2.0 5 votes vote down vote up
private boolean handleSAML1Assertion(
    org.opensaml.saml.saml1.core.Assertion assertion
) throws WSSecurityException {
    List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements =
        assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
        List<org.opensaml.saml.saml1.core.Attribute> attributes = statement.getAttributes();
        for (org.opensaml.saml.saml1.core.Attribute attribute : attributes) {

            if (!ClaimTypes.URI_BASE.toString().equals(attribute.getAttributeNamespace())) {
                continue;
            }

            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String text = attributeValueElement.getTextContent();
                if (!"admin-user".equals(text)) {
                    return false;
                }
            }
        }
    }
    return true;
}
 
Example 4
Source File: ClaimsValidator.java    From cxf with Apache License 2.0 5 votes vote down vote up
private boolean handleSAML2Assertion(
    org.opensaml.saml.saml2.core.Assertion assertion
) throws WSSecurityException {
    List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements =
        assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) {
        List<org.opensaml.saml.saml2.core.Attribute> attributes = statement.getAttributes();
        for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) {
            if (!attribute.getName().startsWith(ClaimTypes.URI_BASE.toString())) {
                continue;
            }

            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String text = attributeValueElement.getTextContent();
                if (!"admin-user".equals(text)) {
                    return false;
                }
            }
        }
    }
    return true;
}
 
Example 5
Source File: StaxClaimsValidator.java    From cxf with Apache License 2.0 5 votes vote down vote up
private boolean handleSAML1Assertion(
    org.opensaml.saml.saml1.core.Assertion assertion
) throws WSSecurityException {
    List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements =
        assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
        List<org.opensaml.saml.saml1.core.Attribute> attributes = statement.getAttributes();
        for (org.opensaml.saml.saml1.core.Attribute attribute : attributes) {

            if (!ClaimTypes.URI_BASE.toString().equals(attribute.getAttributeNamespace())) {
                continue;
            }

            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String text = attributeValueElement.getTextContent();
                if (!"admin-user".equals(text)) {
                    return false;
                }
            }
        }
    }
    return true;
}
 
Example 6
Source File: StaxClaimsValidator.java    From cxf with Apache License 2.0 5 votes vote down vote up
private boolean handleSAML2Assertion(
    org.opensaml.saml.saml2.core.Assertion assertion
) throws WSSecurityException {
    List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements =
        assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) {
        List<org.opensaml.saml.saml2.core.Attribute> attributes = statement.getAttributes();
        for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) {
            if (!attribute.getName().startsWith(ClaimTypes.URI_BASE.toString())) {
                continue;
            }

            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String text = attributeValueElement.getTextContent();
                if (!"admin-user".equals(text)) {
                    return false;
                }
            }
        }
    }
    return true;
}
 
Example 7
Source File: ClaimsManager.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected List<ProcessedClaim> parseClaimsInAssertion(org.opensaml.saml.saml2.core.Assertion assertion) {
    List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements =
        assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        if (LOG.isLoggable(Level.FINEST)) {
            LOG.finest("No attribute statements found");
        }
        return Collections.emptyList();
    }

    List<ProcessedClaim> collection = new ArrayList<>();

    for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) {
        if (LOG.isLoggable(Level.FINEST)) {
            LOG.finest("parsing statement: " + statement.getElementQName());
        }
        List<org.opensaml.saml.saml2.core.Attribute> attributes = statement.getAttributes();
        for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) {
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("parsing attribute: " + attribute.getName());
            }
            ProcessedClaim c = new ProcessedClaim();
            c.setClaimType(URI.create(attribute.getName()));
            c.setIssuer(assertion.getIssuer().getNameQualifier());
            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String value = attributeValueElement.getTextContent();
                if (LOG.isLoggable(Level.FINEST)) {
                    LOG.finest(" [" + value + "]");
                }
                c.addValue(value);
            }
            collection.add(c);
        }
    }
    return collection;

}
 
Example 8
Source File: ClaimsManager.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected List<ProcessedClaim> parseClaimsInAssertion(org.opensaml.saml.saml1.core.Assertion assertion) {
    List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements =
        assertion.getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        if (LOG.isLoggable(Level.FINEST)) {
            LOG.finest("No attribute statements found");
        }
        return Collections.emptyList();
    }
    ProcessedClaimCollection collection = new ProcessedClaimCollection();

    for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
        if (LOG.isLoggable(Level.FINEST)) {
            LOG.finest("parsing statement: " + statement.getElementQName());
        }

        List<org.opensaml.saml.saml1.core.Attribute> attributes = statement.getAttributes();
        for (org.opensaml.saml.saml1.core.Attribute attribute : attributes) {
            if (LOG.isLoggable(Level.FINEST)) {
                LOG.finest("parsing attribute: " + attribute.getAttributeName());
            }
            ProcessedClaim c = new ProcessedClaim();
            c.setIssuer(assertion.getIssuer());
            c.setClaimType(URI.create(attribute.getAttributeName()));
            try {
                c.setClaimType(new URI(attribute.getAttributeName()));
            } catch (URISyntaxException e) {
                LOG.warning("Invalid attribute name in attributestatement: " + e.getMessage());
                continue;
            }
            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String value = attributeValueElement.getTextContent();
                if (LOG.isLoggable(Level.FINEST)) {
                    LOG.finest(" [" + value + "]");
                }
                c.addValue(value);
            }
            collection.add(c);
        }
    }
    return collection;
}
 
Example 9
Source File: SAMLProviderActAsTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Create a default Saml1 Bearer Assertion with ActAs from a UsernameToken
 */
@org.junit.Test
public void testDefaultSaml1ActAsUsernameToken() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();

    UsernameTokenType usernameToken = new UsernameTokenType();
    AttributedString username = new AttributedString();
    username.setValue("bob");
    usernameToken.setUsername(username);
    JAXBElement<UsernameTokenType> usernameTokenType =
        new JAXBElement<UsernameTokenType>(
            QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken
        );

    TokenProviderParameters providerParameters =
        createProviderParameters(
            WSS4JConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType
        );
    //Principal must be set in ReceivedToken/ActAs
    providerParameters.getTokenRequirements().getActAs().setPrincipal(
            new CustomTokenPrincipal(username.getValue()));

    assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML_TOKEN_TYPE));
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    // Verify the token
    Element token = (Element)providerResponse.getToken();
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
    Assert.assertEquals("technical-user", assertion.getSubjectName());

    boolean foundActAsAttribute = false;
    for (org.opensaml.saml.saml1.core.AttributeStatement attributeStatement
        : assertion.getSaml1().getAttributeStatements()) {
        for (org.opensaml.saml.saml1.core.Attribute attribute : attributeStatement.getAttributes()) {
            if ("ActAs".equals(attribute.getAttributeName())) {
                for (XMLObject attributeValue : attribute.getAttributeValues()) {
                    Element attributeValueElement = attributeValue.getDOM();
                    String text = attributeValueElement.getTextContent();
                    if (text.contains("bob")) {
                        foundActAsAttribute = true;
                        break;
                    }
                }
            }
        }
    }

    assertTrue(foundActAsAttribute);
}
 
Example 10
Source File: SAMLProviderActAsTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Create a default Saml2 Bearer Assertion with ActAs from a SAML Assertion
 */
@org.junit.Test
public void testDefaultSaml2ActAsAssertion() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();

    String user = "bob";
    Element saml1Assertion = getSAMLAssertion();

    TokenProviderParameters providerParameters =
        createProviderParameters(
            WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, saml1Assertion
        );
    //Principal must be set in ReceivedToken/ActAs
    providerParameters.getTokenRequirements().getActAs().setPrincipal(
            new CustomTokenPrincipal(user));

    assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    // Verify the token
    Element token = (Element)providerResponse.getToken();
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
    Assert.assertEquals("technical-user", assertion.getSubjectName());

    boolean foundActAsAttribute = false;
    for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement
        : assertion.getSaml2().getAttributeStatements()) {
        for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
            if ("ActAs".equals(attribute.getName())) {
                for (XMLObject attributeValue : attribute.getAttributeValues()) {
                    Element attributeValueElement = attributeValue.getDOM();
                    String text = attributeValueElement.getTextContent();
                    if (text.contains("bob")) {
                        foundActAsAttribute = true;
                        break;
                    }
                }
            }
        }
    }

    assertTrue(foundActAsAttribute);
}
 
Example 11
Source File: SAMLProviderActAsTest.java    From cxf with Apache License 2.0 4 votes vote down vote up
@org.junit.Test
public void testSAML2ActAsUsernameTokenClaims() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();

    UsernameTokenType usernameToken = new UsernameTokenType();
    AttributedString username = new AttributedString();
    username.setValue("bob");
    usernameToken.setUsername(username);
    JAXBElement<UsernameTokenType> usernameTokenType =
        new JAXBElement<UsernameTokenType>(
            QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken
        );

    TokenProviderParameters providerParameters =
        createProviderParameters(
            WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType
        );
    //Principal must be set in ReceivedToken/ActAs
    providerParameters.getTokenRequirements().getActAs().setPrincipal(
            new CustomTokenPrincipal(username.getValue()));

    // Add Claims
    ClaimsManager claimsManager = new ClaimsManager();
    ClaimsHandler claimsHandler = new CustomClaimsHandler();
    claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler));
    providerParameters.setClaimsManager(claimsManager);

    ClaimCollection claims = createClaims();
    providerParameters.setRequestedPrimaryClaims(claims);

    assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    // Verify the token
    Element token = (Element)providerResponse.getToken();
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
    Assert.assertEquals("technical-user", assertion.getSubjectName());

    boolean foundActAsAttribute = false;
    for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement
        : assertion.getSaml2().getAttributeStatements()) {
        for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) {
            if ("ActAs".equals(attribute.getName())) {
                for (XMLObject attributeValue : attribute.getAttributeValues()) {
                    Element attributeValueElement = attributeValue.getDOM();
                    String text = attributeValueElement.getTextContent();
                    if (text.contains("bob")) {
                        foundActAsAttribute = true;
                        break;
                    }
                }
            }
        }
    }

    assertTrue(foundActAsAttribute);

    // Check that claims are also present
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(providerResponse.getTokenId()));
    assertTrue(tokenString.contains(ClaimTypes.EMAILADDRESS.toString()));
    assertTrue(tokenString.contains(ClaimTypes.FIRSTNAME.toString()));
    assertTrue(tokenString.contains(ClaimTypes.LASTNAME.toString()));
}
 
Example 12
Source File: STSAuthenticationProvider.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
protected List<Claim> parseClaimsInAssertion(org.opensaml.saml.saml2.core.Assertion assertion) {
    List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements = assertion
        .getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        LOG.debug("No attribute statements found");
        return Collections.emptyList();
    }

    List<Claim> collection = new ArrayList<>();
    Map<String, Claim> claimsMap = new HashMap<>();

    for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) {
        LOG.debug("parsing statement: {}", statement.getElementQName());
        List<org.opensaml.saml.saml2.core.Attribute> attributes = statement.getAttributes();
        for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) {
            LOG.debug("parsing attribute: {}", attribute.getName());
            Claim c = new Claim();
            // Workaround for CXF-4484
            // Value of Attribute Name not fully qualified
            // if NameFormat is http://schemas.xmlsoap.org/ws/2005/05/identity/claims
            // but ClaimType value must be fully qualified as Namespace attribute goes away
            URI attrName = URI.create(attribute.getName());
            if (ClaimTypes.URI_BASE.toString().equals(attribute.getNameFormat())
                && !attrName.isAbsolute()) {
                c.setClaimType(URI.create(ClaimTypes.URI_BASE + "/" + attribute.getName()));
            } else {
                c.setClaimType(URI.create(attribute.getName()));
            }
            c.setIssuer(assertion.getIssuer().getNameQualifier());

            List<String> valueList = new ArrayList<>();
            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String value = attributeValueElement.getTextContent();
                LOG.debug(" [{}]", value);
                valueList.add(value);
            }
            mergeClaimToMap(claimsMap, c, valueList);
        }
    }
    collection.addAll(claimsMap.values());
    return collection;

}
 
Example 13
Source File: SAMLTokenValidator.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
protected List<Claim> parseClaimsInAssertion(
        org.opensaml.saml.saml1.core.Assertion assertion) {
    List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements = assertion
            .getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        LOG.debug("No attribute statements found");
        return Collections.emptyList();
    }
    List<Claim> collection = new ArrayList<>();
    Map<String, Claim> claimsMap = new HashMap<>();

    for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
        LOG.debug("parsing statement: {}", statement.getElementQName());

        List<org.opensaml.saml.saml1.core.Attribute> attributes = statement
                .getAttributes();
        for (org.opensaml.saml.saml1.core.Attribute attribute : attributes) {
            LOG.debug("parsing attribute: {}", attribute.getAttributeName());
            Claim c = new Claim();
            c.setIssuer(assertion.getIssuer());
            if (attribute.getAttributeNamespace() != null) {
                URI attrName = parseAttributeName(attribute.getAttributeName());
                if (attrName.isAbsolute()) {
                    // Workaround for CXF-4484
                    c.setClaimType(attrName);
                    if (attribute.getAttributeName().startsWith(attribute.getAttributeNamespace())) {
                        LOG.info("AttributeName fully qualified '" + attribute.getAttributeName()
                                 + "' but does match with AttributeNamespace '"
                                 + attribute.getAttributeNamespace() + "'");
                    } else {
                        LOG.warn("AttributeName fully qualified '" + attribute.getAttributeName()
                                 + "' but does NOT match with AttributeNamespace (ignored) '"
                                 + attribute.getAttributeNamespace() + "'");
                    }
                } else {
                    if (attribute.getAttributeNamespace().endsWith("/")) {
                        c.setClaimType(URI.create(attribute.getAttributeNamespace()
                                                  + attrName.toString()));
                    } else {
                        c.setClaimType(URI.create(attribute.getAttributeNamespace()
                                                  + "/" + attrName.toString()));
                    }
                }
            } else {
                c.setClaimType(parseAttributeName(attribute.getAttributeName()));
            }
            List<String> valueList = new ArrayList<>();
            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String value = attributeValueElement.getTextContent();
                LOG.debug(" [{}]", value);
                valueList.add(value);
            }
            mergeClaimToMap(claimsMap, c, valueList);
        }
    }
    collection.addAll(claimsMap.values());
    return collection;
}
 
Example 14
Source File: SAMLTokenValidator.java    From cxf-fediz with Apache License 2.0 4 votes vote down vote up
protected List<Claim> parseClaimsInAssertion(
        org.opensaml.saml.saml2.core.Assertion assertion) {
    List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements = assertion
            .getAttributeStatements();
    if (attributeStatements == null || attributeStatements.isEmpty()) {
        LOG.debug("No attribute statements found");
        return Collections.emptyList();
    }

    List<Claim> collection = new ArrayList<>();
    Map<String, Claim> claimsMap = new HashMap<>();

    for (org.opensaml.saml.saml2.core.AttributeStatement statement : attributeStatements) {
        LOG.debug("parsing statement: {}", statement.getElementQName());
        List<org.opensaml.saml.saml2.core.Attribute> attributes = statement
                .getAttributes();
        for (org.opensaml.saml.saml2.core.Attribute attribute : attributes) {
            LOG.debug("parsing attribute: {}", attribute.getName());
            Claim c = new Claim();
            // Workaround for CXF-4484
            // Value of Attribute Name not fully qualified
            // if NameFormat is http://schemas.xmlsoap.org/ws/2005/05/identity/claims
            // but ClaimType value must be fully qualified as Namespace attribute goes away
            URI attrName = parseAttributeName(attribute.getName());
            if (ClaimTypes.URI_BASE.toString().equals(attribute.getNameFormat())
                && !attrName.isAbsolute()) {
                c.setClaimType(URI.create(ClaimTypes.URI_BASE + "/" + attrName.toString()));
            } else {
                c.setClaimType(attrName);
            }
            c.setIssuer(assertion.getIssuer().getNameQualifier());

            List<String> valueList = new ArrayList<>();
            for (XMLObject attributeValue : attribute.getAttributeValues()) {
                Element attributeValueElement = attributeValue.getDOM();
                String value = attributeValueElement.getTextContent();
                LOG.debug(" [{}]", value);
                valueList.add(value);
            }
            mergeClaimToMap(claimsMap, c, valueList);
        }
    }
    collection.addAll(claimsMap.values());
    return collection;

}