[CXF-6387] External SAML References for SOAP Messages - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.0.4
Fix Version/s: None
Component/s: STS
Labels:
None

Estimated Complexity:
Unknown

Description

The current implementation of CXF supports SAML token references only inside the same SOAP message. This causes a great overhead, if the actual payload is relatively small.

The WSS 1.2 specification [1] allows to define a RequireExternalReference policy assertion. AAccording to the SAMLTokenProfile [2] this external reference could look like this:

<ds:KeyInfo xmlns:ds="...">
  <wsse:SecurityTokenReference
              xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
           wsu:id="STR1"
           wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
    <wsse:Reference
           wsu:id="…"
       URI="https://saml.example.edu/assertion-authority?ID=abcde">
         </wsse:Reference>
  </wsse:SecurityTokenReference>
</ds:KeyInfo>

This would require that the STS caches all issued tokens and makes them available via REST API.

[1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion

[2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Jan Bernhardt

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/May/15 10:00

Updated:: 04/May/15 14:15