In WS-Policy that is used by service we have defined
Some people say that WS-SecurityPolicy 1.2 imply that also SAML assertion that is inside WS-Security section of the message SOAP Header should be encrypted (not only signed).
Message with SAML that is NOT encrypted is currently accepted by CXF even while policy defines <SignedEncryptedSupportingTokens/>
Question is: does SAML assertion fall into "SupportingTokens" category and should be encrypted as well?
What is your view on that? Is that a bug in Neethi?
Signed, encrypted supporting tokens are Signed supporting tokens (See section 8.2) that are also encrypted when they appear in the wsse:SecurityHeader. Element Encryption SHOULD be used for encrypting the supporting tokens.
The syntax for the sp:SignedEncryptedSupportingTokens differs from the syntax of sp:SignedSupportingTokens only in the name of the assertion itself. All nested policy is as per the sp:SignedSupportingTokens assertion.