[
https://issues.apache.org/jira/browse/CXF-3588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-3588.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.5
Basic validation is OK, further improvements will be done later on. Example,
SAML tokens passed in headers of GET requests - only 'bearer' will do, we will
need to attach signatures to deal with sender-vouches or holder of key, etc...
> Validate SAML assertions targeted at JAX-RS endpoints
> ------------------------------------------------------
>
> Key: CXF-3588
> URL: https://issues.apache.org/jira/browse/CXF-3588
> Project: CXF
> Issue Type: Sub-task
> Components: JAX-RS
> Affects Versions: 2.5
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Fix For: 2.5
>
>
> This task is about ensuring that SAML assertions can be validated either
> in-place, example by checking the assertion signature against a client cert
> in case of two-way TLS or by delegating to STS client for confirming it
> recognizes the assertion which it must've issued in the first place.
> How SAML assertion will be associated with the current request is not yet
> finalized. SAML HTTP POST binding offers the way to pass it via a form
> submission. Or we can get an artifact representing an STS response containing
> the assertion passed in and then get a compliant IDP resolve the artifact
> (vis STS). Or use a header and effectively create another SAML HTTP binding.
> Etc...
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
