Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3225

Add support for saml tokens in sp:InitiatorToken

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.4.4, 2.5.1
    • Component/s: WS-* Components
    • Labels:
      None

      Description

      Currently CXF does not support SAML tokens to be used as InitiatorToken in Asymmetric bindings, where as the certificate referred to in the SAML assertion signs the message content (eg SAML Holder of Key scenarios).

      chapter 6 Scenario #4 - Holder-of-Key (p28)
      http://www.oasis-open.org/committees/download.php/23071/ws-sp-usecases-examples-draft-11-03.doc

      chapter 2.3.1.5 (WSS1.0) SAML10 Holder of Key, Sign, Optional Encrypt
      http://www.oasis-open.org/committees/download.php/7702/wss-saml-interop1-draft-12.doc

      When the <sp:InitiatorToken> contains an <sp:IssuedToken> or a <sp:SamlToken> instead of <sp:WssX509V3Token10>, CXF signs the request and adds a BST by default. CXF does not ask for a SAML token and it is impossible to construct a message signature which SignatureTokenReference contains a reference to the SAML assertion (http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID)

      <wsse:SecurityTokenReference wsu:id="STR1">
      <wsse:KeyIdentifier wsu:id="..."
      ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">
      _a75adf55-01d7-40cc-929f-dbd8372ebdfc
      </wsse:KeyIdentifier>
      </wsse:SecurityTokenReference>

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                wsalembi Willem Salembier
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: