Request to add a configuration option that allows STSClient to use the 
requester's X509Certificate as the SubjectConfirmation KeyInfo data within 
RequestSecurityToken messages
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

                 Key: CXF-2928
                 URL: https://issues.apache.org/jira/browse/CXF-2928
             Project: CXF
          Issue Type: Improvement
    Affects Versions: 2.3, 2.2.10
            Reporter: Rich Newcomb
             Fix For: 2.3, 2.2.10


Request to expand the CXF STSClient to support a configuration option that 
enables an X509Certificate to be used as the saml:SubjectConfirmation KeyInfo 
element when making a WS-Trust RequestSecurityToken request. 

Rationale is as follows:

1. The SAML 1.1 specification is flexible with regard to the type of 
XMLSignature KeyInfo (ds:KeyInfo) that may provided in a 
saml:SubjectConfirmation element to support the holder-of-key confirmation 
method. 

2. Some relying parties require an X509 Certificate to be provided in the 
assertion confirmation data in order to perfom validation. For example, any 
relying party that uses WSS4J version 1.5.8 or earlier for SAML assertion 
validation (with holder-of-key conf) requires the X509 Certificate to exist in 
the subject confirmation data.  

3. Accordingly, some STS implementations allow RequestSecurityToken ds:KeyInfo 
element to optionally contain either a ds:X509Certificate or the corresponding 
ds:KeyValue for the public key within the RequestSecurityToken message.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to