The SAMLTokenProvider supports to issue a SAML token based on the authenticated principal in the RST which means the security token sent in the WS-Security header.
It is not supported that the client requests a SAML token OnBehalfOf another SAML token.
|Assignee||Colm O hEigeartaigh [ coheigea ]|
|Fix Version/s||2.5.1 [ 12318888 ]|
|Status||Open [ 1 ]||Resolved [ 5 ]|
|Resolution||Fixed [ 1 ]|
|Comment||[ As far as I know, to request an OnBehalfOf Token should not simply result in adding a related SAML Attribute (as it would be ok for ActAs). OnBehalfOf should deliver a Token where "only" the OnBehalfOf Principal is contained. Therefor the SAML Subject should match the requested OnBehalfOf Principal and not the Principal which was authenticated based on the security token sent in the WS-Security header... ]|
|Status||Resolved [ 5 ]||Closed [ 6 ]|