Consult the WSS4J documentation (i.e., source code) for handling SAML
Assertions. There is limited support for SAML 1.0 Assertions in the
runtime, but note that there is no support for the processing
requirements dictated by the SAML SOAP profile (e.g., for processing
the SubjectConfirmation element of a SAML Assertion). You're also
pretty much limited to using types as provided by OpenSAML, which
provides a collection of hand-coded types based off the SAML schema
-- nothing sophisticated there, and something our code generators
could write in a few milliseconds.
For X.509, you should be able to use the DirectReference key
identifier in WSS4J, which will override the default (IssuerSerial),
and embed the signing certificate directly in the SOAP security header.
You could, of course, just pass an X.509 certificate through a
security header, but that provides no assurance of the identity of
the sender, since X.509 certificates are public documents. The
sender needs to prove something about his/her identity (in
particular, that she possesses the private key cryptographically
bound to the public key in the sent certificate.
-Fred
On Sep 12, 2007, at 9:15 AM, Davide Gesino wrote:
Hi,
another question about WS-Security again.
In CXF how can I configure a SAML or X.509 authentication tokens?!
David
--
View this message in context: http://www.nabble.com/WS-Security-
SAML-and-X.509-authentication-token-tf4429143.html#a12634954
Sent from the cxf-user mailing list archive at Nabble.com.
