You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jan Bernhardt (JIRA)" <ji...@apache.org> on 2015/05/04 16:16:06 UTC
[jira] [Updated] (CXF-6387) External SAML References for SOAP
Messages
[ https://issues.apache.org/jira/browse/CXF-6387?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Bernhardt updated CXF-6387:
-------------------------------
Description:
The current implementation of CXF supports SAML token references only inside the same SOAP message. This causes a great overhead, if the actual payload is relatively small.
The WSS 1.2 specification [1] allows to define a {{RequireExternalReference}} policy assertion. AAccording to the SAMLTokenProfile [2] this external reference could look like this:
{code}
<ds:KeyInfo xmlns:ds="...">
<wsse:SecurityTokenReference
xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
wsu:id="STR1"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:Reference
wsu:id="…"
URI="https://saml.example.edu/assertion-authority?ID=abcde">
</wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
{code}
This would require that the STS caches all issued tokens and makes them available via REST API.
[1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion
[2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774
was:
The current implementation of CXF supports SAML token references only inside the same SOAP message. This causes a great overhead, if the actual payload is relatively small.
The WSS 1.2 specification [1] allows to define a {{RequireExternalReference}} policy assertion. AAccording to the SAMLTokenProfile [2] this external reference could look like this:
{code}
<ds:KeyInfo xmlns:ds="...">
<wsse:SecurityTokenReference
xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
wsu:id=”STR1”
wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0”>
<wsse:Reference
wsu:id=”…”
URI=”https://saml.example.edu/assertion-authority?ID=abcde”>
</wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
{code}
This would require that the STS caches all issued tokens and makes them available via REST API.
[1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion
[2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774
> External SAML References for SOAP Messages
> ------------------------------------------
>
> Key: CXF-6387
> URL: https://issues.apache.org/jira/browse/CXF-6387
> Project: CXF
> Issue Type: Improvement
> Components: STS
> Affects Versions: 3.0.4
> Reporter: Jan Bernhardt
>
> The current implementation of CXF supports SAML token references only inside the same SOAP message. This causes a great overhead, if the actual payload is relatively small.
> The WSS 1.2 specification [1] allows to define a {{RequireExternalReference}} policy assertion. AAccording to the SAMLTokenProfile [2] this external reference could look like this:
> {code}
> <ds:KeyInfo xmlns:ds="...">
> <wsse:SecurityTokenReference
> xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
> wsu:id="STR1"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
> <wsse:Reference
> wsu:id="…"
> URI="https://saml.example.edu/assertion-authority?ID=abcde">
> </wsse:Reference>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> {code}
> This would require that the STS caches all issued tokens and makes them available via REST API.
> [1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion
> [2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)