I have 2 codebases. They are identical except that one uses the reference JAX-WS implementation. The other uses CXF + Wss4j.
I'm seeing a difference in the security header created by each codebase. The JAX-WS RI creates a <security> element with 2 <signature> elements within it. The codebase that uses CXF+wss4j only adds a single <signature> element. Based on what I found by googling, I think the 2nd signature element is supposed to be the signature confirmation. The server expects the signature confirmation and hence rejects the request in the case of CXF + Wss4j. Is this expected? JAX-WS reference implementation ======================== <ns3:Security xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:ns4="http://www.w3.org/2005/08/addressing"; xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"><ns2:Timestamp xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:ns4="http://www.w3.org/2005/08/addressing"; xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation" ns2:Id="_a199e922-5238-46ca-a93a-f73db181e918"><ns2:Created>2015-11-29T19:40:02.949Z</ns2:Created><ns2:Expires>2015-11-29T19:50:02.949Z</ns2:Expires></ns2:Timestamp><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; ID="_a5ccb73a-7337-407a-b4c3-a66f2baeacb2" IssueInstant="2015-11-29T19:39:58.983Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";></ds:SignatureMethod><ds:Reference URI="#_a5ccb73a-7337-407a-b4c3-a66f2baeacb2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256";></ds:DigestMethod><ds:DigestValue>6562VNOEAQW4Q7giAAQDaMvsJE31Tr0dKHI8EIOP6Jo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>irRr1jA1PsMefSifkBw5K8UvBWiqpEbTJGFcOtU/sPHrSp2xLvgv8Qrnv5RuFMDbq9u4e1s1bII1 INjkTbK8XDhjvO32YDrpK9ywH5lWi6NYWCUOc31ZJe41s+ooikCrdWDnUAjNesxaqVaovO4aYexS S7hitB/ms6KuizkwwdocYt2tSBNNwa9Xjw0dsHzSdmMLaUXauOR3dDC/EwLODTd4uvQqVkRPOKYG oMDXndOC1QFeFphvnZvEgpITF4TPSWQUI7B9nAPDWeZIOUhJovJ2MxWNfGF+XrfBwnMxnGee3gp8 vrwhCDI3wLcs+ndX3Z92F5ga8Xl3uWI4z66KBQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3 9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F 6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4 vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2 PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF 4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc 3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS 6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate><ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT 8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+ +2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH dtL/iT0sE0nXET7g</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN";>[email protected]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:X509Data><ds:X509Certificate>MIIChTCCAe6gAwIBAgIIOZzLxyu+aoIwDQYJKoZIhvcNAQEFBQAwgYQxCzAJBgNVBAYTAlVTMRMw EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwg SW5jLjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5j b20wHhcNMTUxMTI5MTkzOTU3WhcNMTYxMTI4MTkzOTU3WjCBhDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMVk13YXJlLCBJbmMu MR4wHAYDVQQLExVFY29zeXN0ZW0gRW5naW5lZXJpbmcxFTATBgNVBAMMDCoudm13YXJlLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjHCywBzRtcTz0071B2zocMoN9D7A2Ham4YfITN43 cGTZtAcCOC7OKBkS8bfg04hqnUo59Roxr+jhIToxIMT4O1IxsAjiPXS68WdKh3h6pdfIdYrBTDFG Fe5UOhJwdG3cas5QJcKUMpWOfnNujIw8UaII8bu6ZvwZnR8kE2spFsUCAwEAATANBgkqhkiG9w0B AQUFAAOBgQB/PpOlU0yALiXFlIQGj6LW0VScBaOxOzMENKlk0VPt4bBT/3n8YKhri3Yfd/7WQMxJ Py1PyJvB8cCXEKfGlgQA9jRXbJf+8llVk1OyjCTjpnrPlEynLVxfNdmIn5HT7rXy27PTMC9e/By8 kdNUdcTHWYOVHPNd2akVemA1khaqhA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-11-29T19:39:57.916Z" NotOnOrAfter="2015-11-29T20:09:57.916Z"><saml2:ProxyRestriction Count="10"></saml2:ProxyRestriction><saml2:Condition xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; Count="10" xsi:type="rsa:RenewRestrictionType"></saml2:Condition></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-11-29T19:39:58.981Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">vsphere.local</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue><saml2:AttributeValue xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion> ####see below 2nd signature element ############# <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";></ds:SignatureMethod><ds:Reference URI="#_60b8ff8d-e1b7-48f0-a3ea-43a5b2fd537e"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512";></ds:DigestMethod><ds:DigestValue>V7sztgOZVF5LUSkR4aJJ7cX9X4UzAUpF3661NCKOs4puRIMiNIXJlrLVQIeS5YXPpme3sf89Xk8B aAJD7kt+zA==</ds:DigestValue></ds:Reference><ds:Reference URI="#_a199e922-5238-46ca-a93a-f73db181e918"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512";></ds:DigestMethod><ds:DigestValue>QNGwQjyLO3jjAUlcok7jnlVN/IV7Kxrh17rs/7yRxuCsJpkydeBEfEDoXDXLG6/2rK09HDibWnCO lNKwJ8x5KQ==</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>AkBK81uTZXlCWkiKFTcGygLLI1WgaFv88zzfd0q/fUxy7arwg1HAehEaJASFOzRXbQj+H6JZ+3IY QJ4W1jG5A20ARuydx7uOh/pOSoT13pKk0loImSWAcBu3wpvUIFDUHFhVYbXtahHwtK7/NYyUfSnv rBLJghFdfyzaudckLR0=</ds:SignatureValue><ds:KeyInfo><ns3:SecurityTokenReference xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:ns4="http://www.w3.org/2005/08/addressing"; xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";><ns3:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_a5ccb73a-7337-407a-b4c3-a66f2baeacb2</ns3:KeyIdentifier></ns3:SecurityTokenReference></ds:KeyInfo></ds:Signature> </ns3:Security> CXF + WSS4j ========== <ns3:Security xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ns4="http://www.w3.org/2005/08/addressing"; xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"> <ns2:Timestamp ns2:Id="fsfdsfsfs"> <ns2:Created>2015-12-01T18:57:08.814Z</ns2:Created> <ns2:Expires>2015-12-01T19:07:08.814Z</ns2:Expires> </ns2:Timestamp> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; ID="_50e38388-dbda-4843-9cd1-23730bd65502" IssueInstant="2015-12-01T18:56:52.609Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_50e38388-dbda-4843-9cd1-23730bd65502"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>6IQ6ekeoHmJQHNdnaKYFEgw2UBthqumyFYGG49ltvVg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>pTU4jM27A6HIIm8tFa/kXRn7jIaQDjUE6Z9yjAatr5FuCQRpZYm9IhvvptGp2jKRrdfV3/MoNpAR aigFdz5t/uf5fBapHhdTYgqqKGg7BFtWQghruWKYmL0OLxCb3AMDHslqbQwckFQnFFygkUQfi7t5 XF/LHM94gJiNsXuaUi3AZ11o7PDXPqAKwMVTS93DKGIrsK7WSw/Iok+F9yIYPUJ/ejFkcbnkg91e pw7MhP+EH2hjQkpYk0Alx20n5NVV1zXT7LG4niONwwNzBP98W3BE0cV93ZLdLhph7zACKdhlEvjD rDSvSF95Ty01bSKrZxFXXTwJoRIimi+Ns0M4RA==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3 9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F 6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4 vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2 PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF 4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc 3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS 6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate> <ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT 8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+ +2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH dtL/iT0sE0nXET7g</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="http://schemas.xmlsoap.org/claims/UPN";>[email protected]</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate>MIIChjCCAe+gAwIBAgIJAOpdwhw5314wMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUs IEluYy4xHjAcBgNVBAsTFUVjb3N5c3RlbSBFbmdpbmVlcmluZzEVMBMGA1UEAwwMKi52bXdhcmUu Y29tMB4XDTE1MTIwMTE4NTY0OFoXDTE2MTEzMDE4NTY0OFowgYQxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwgSW5j LjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANs52Y9fJz5M8VeGARSPFjcnUEowoptJTygVqbNh SnE2oBIV0/WEr6xozmWa1XscvcjfOm2QVfIZwrZc+F5tAQ6yI7CqyDpafEIajX7hgFaLgbpuk+q9 FJlRx6uqIiIYt8GXoM4+W1G/ICfUiAfCq3M2b5ItmAoRc6E2LMJXFY0LAgMBAAEwDQYJKoZIhvcN AQEFBQADgYEAv9HpjvO3/F7ZbJkDH7eujnGRHw1gSjSMp4TMlveICwoToNn+9svP8LkoT7u8YGxx nJSklky/d2cpA7zthj+DlYZF5icB/UY0eSRDSr3+MUiIxZt4LqRmW9mGBWxSJ1Dnq3kr821ATTMN 8XbO6iyrpnJDv3a/HwBJF7k+Ypk+opY=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml2:SubjectConfirmationData> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2015-12-01T18:56:50.144Z" NotOnOrAfter="2015-12-01T19:26:50.144Z"> <saml2:ProxyRestriction Count="10"/> <saml2:Condition xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; Count="10" xsi:type="rsa:RenewRestrictionType"/> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2015-12-01T18:56:52.607Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xsi:type="xs:string">vsphere.local</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xsi:type="xs:string">Administrator</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue> <saml2:AttributeValue xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue> <saml2:AttributeValue xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue> <saml2:AttributeValue xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue> <saml2:AttributeValue xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue> <saml2:AttributeValue xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue> <saml2:AttributeValue xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> #### 2nd signature element is missing <------ </ns3:Security> -- View this message in context: http://cxf.547215.n5.nabble.com/Question-on-signature-confirmation-in-the-security-header-tp5763524.html Sent from the cxf-dev mailing list archive at Nabble.com.
