[
https://issues.apache.org/jira/browse/CXF-2928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rich Newcomb updated CXF-2928:
------------------------------
Attachment: cxf-2928-trunk.patch
Attached patch
> Add a configuration option that allows STSClient to use the requester's
> X509Certificate as the SubjectConfirmation KeyInfo data within
> RequestSecurityToken messages
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2928
> URL: https://issues.apache.org/jira/browse/CXF-2928
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 2.3, 2.2.10
> Reporter: Rich Newcomb
> Fix For: 2.3, 2.2.10
>
> Attachments: cxf-2928-trunk.patch
>
>
> Request to expand the CXF STSClient to support a configuration option that
> enables an X509Certificate to be used as the saml:SubjectConfirmation KeyInfo
> element when making a WS-Trust RequestSecurityToken request.
> Rationale is as follows:
> 1. The SAML 1.1 specification is flexible with regard to the type of
> XMLSignature KeyInfo (ds:KeyInfo) that may provided in a
> saml:SubjectConfirmation element to support the holder-of-key confirmation
> method.
> 2. Some relying parties require an X509 Certificate to be provided in the
> assertion confirmation data in order to perfom validation. For example, any
> relying party that uses WSS4J version 1.5.8 or earlier for SAML assertion
> validation (with holder-of-key conf) requires the X509 Certificate to exist
> in the subject confirmation data.
> 3. Accordingly, some STS implementations allow RequestSecurityToken
> ds:KeyInfo element to optionally contain either a ds:X509Certificate or the
> corresponding ds:KeyValue for the public key within the RequestSecurityToken
> message.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
