CXF
  1. CXF
  2. CXF-3225

Add support for saml tokens in sp:InitiatorToken

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.4.4, 2.5.1
    • Component/s: WS-* Components
    • Labels:
      None

      Description

      Currently CXF does not support SAML tokens to be used as InitiatorToken in Asymmetric bindings, where as the certificate referred to in the SAML assertion signs the message content (eg SAML Holder of Key scenarios).

      chapter 6 Scenario #4 - Holder-of-Key (p28)
      http://www.oasis-open.org/committees/download.php/23071/ws-sp-usecases-examples-draft-11-03.doc

      chapter 2.3.1.5 (WSS1.0) SAML10 Holder of Key, Sign, Optional Encrypt
      http://www.oasis-open.org/committees/download.php/7702/wss-saml-interop1-draft-12.doc

      When the <sp:InitiatorToken> contains an <sp:IssuedToken> or a <sp:SamlToken> instead of <sp:WssX509V3Token10>, CXF signs the request and adds a BST by default. CXF does not ask for a SAML token and it is impossible to construct a message signature which SignatureTokenReference contains a reference to the SAML assertion (http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID)

      <wsse:SecurityTokenReference wsu:id="STR1">
      <wsse:KeyIdentifier wsu:id="..."
      ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">
      _a75adf55-01d7-40cc-929f-dbd8372ebdfc
      </wsse:KeyIdentifier>
      </wsse:SecurityTokenReference>

        Issue Links

          Activity

          Gavin made changes -
          Link This issue depends upon CXF-2657 [ CXF-2657 ]
          Gavin made changes -
          Link This issue depends on CXF-2657 [ CXF-2657 ]
          Freeman Fang made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Colm O hEigeartaigh made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          Colm O hEigeartaigh added a comment -

          This is now fixed and a test has been added to the CXF system tests.

          Colm.

          Show
          Colm O hEigeartaigh added a comment - This is now fixed and a test has been added to the CXF system tests. Colm.
          Colm O hEigeartaigh made changes -
          Fix Version/s 2.4.4 [ 12318347 ]
          Fix Version/s 2.5.1 [ 12318888 ]
          Colm O hEigeartaigh made changes -
          Assignee Colm O hEigeartaigh [ coheigea ]
          Colm O hEigeartaigh made changes -
          Link This issue relates to CXF-3432 [ CXF-3432 ]
          Mark Thomas made changes -
          Workflow jira [ 12541258 ] Default workflow, editable Closed status [ 12605921 ]
          Colm O hEigeartaigh made changes -
          Link This issue depends on CXF-2657 [ CXF-2657 ]
          Colm O hEigeartaigh made changes -
          Link This issue duplicates CXF-2657 [ CXF-2657 ]
          Colm O hEigeartaigh made changes -
          Field Original Value New Value
          Link This issue duplicates CXF-2657 [ CXF-2657 ]
          Hide
          Glen Mazza added a comment -

          We've had some very recent improvements in that area[1], the upcoming 2.3.2 (you can work with the SNAPSHOT version if you wish to take a look at it) can generate SecurityTokenReferences of the format you've given. We would definitely welcome more testing here, as this code is very new. However, I'm not sure where we are right now with the rest of your needs--i.e., whether the changes in 2.3.2 fully fix your concerns above.

          [1] http://coheigea.blogspot.com/2010/12/cxfmetro-ws-trust-interop.html

          Show
          Glen Mazza added a comment - We've had some very recent improvements in that area [1] , the upcoming 2.3.2 (you can work with the SNAPSHOT version if you wish to take a look at it) can generate SecurityTokenReferences of the format you've given. We would definitely welcome more testing here, as this code is very new. However, I'm not sure where we are right now with the rest of your needs--i.e., whether the changes in 2.3.2 fully fix your concerns above. [1] http://coheigea.blogspot.com/2010/12/cxfmetro-ws-trust-interop.html
          Willem Salembier created issue -

            People

            • Assignee:
              Colm O hEigeartaigh
              Reporter:
              Willem Salembier
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development