Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.6.2, 2.7.5
-
All platforms
-
Moderate
Description
In some cases, the <EncryptedSupportingTokens> policy assertion does not encrypt the supporting token. When the policy contains the <EncryptBeforeSigning> assertion, <SignedParts> and <EncryptedParts> assertions along with the <EncryptedSupportingTokens> assertion for a username token, the username token is not encrypted in the outbound SOAP message.