Grzegorz Maczuga created CXF-6650:
-------------------------------------
Summary: SAML 2.0 SenderVouches / no 2-way TLS / XML Signature bug
Key: CXF-6650
URL: https://issues.apache.org/jira/browse/CXF-6650
Project: CXF
Issue Type: Bug
Affects Versions: 3.0.6
Reporter: Grzegorz Maczuga
When an Oracle Api Gateway:
- inserts a SenderVouches SAML 2.0 Assertion
- there is no 2-way TLS connection thus CXF required that both SAML Token and
SOAP Body are signed by same signature.
Then CXF server fails to accept such request in following cases:
1) when signature is outside SAML Token element then token is considered to be
not signed by CXF SAMLTokenProcessor
2) when signature is inside SAML Token then Signature processing fails as CXF
cannot find referenced external Body element
3) when signature is inside SAML Token but it only signs SAML and no BODY, then
it fails Sender-vouches requirements
Workaround to this is to:
1) Set in CXF that “not signed” SAML is OK:
<entry key="ws-security.enable.unsigned-saml-assertion.principal" value="true"
/>
2) Enforce Signature of SAML on WSDL/WS-SecurityPolicy level:
<ns3:SignedSupportingTokens>
<ns3:WssSamlV20Token11/>
</ns3:SignedSupportingTokens>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
