[
https://issues.apache.org/jira/browse/CXF-6387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14526486#comment-14526486
]
Jan Bernhardt commented on CXF-6387:
------------------------------------
This extension could also make it possible to support
{{IncludeToken=".../IncludeToken/Once"}} policy assertion.
> External SAML References for SOAP Messages
> ------------------------------------------
>
> Key: CXF-6387
> URL: https://issues.apache.org/jira/browse/CXF-6387
> Project: CXF
> Issue Type: Improvement
> Components: STS
> Affects Versions: 3.0.4
> Reporter: Jan Bernhardt
>
> The current implementation of CXF supports SAML token references only inside
> the same SOAP message. This causes a great overhead, if the actual payload is
> relatively small.
> The WSS 1.2 specification [1] allows to define a {{RequireExternalReference}}
> policy assertion. AAccording to the SAMLTokenProfile [2] this external
> reference could look like this:
> {code}
> <ds:KeyInfo xmlns:ds="...">
> <wsse:SecurityTokenReference
> xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
> wsu:id=”STR1”
>
> wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0”>
> <wsse:Reference
> wsu:id=”…”
> URI=”https://saml.example.edu/assertion-authority?ID=abcde”>
> </wsse:Reference>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> {code}
> This would require that the STS caches all issued tokens and makes them
> available via REST API.
> [1]
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion
> [2]
> http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
