[ https://issues.apache.org/jira/browse/CXF-6650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Grzegorz Maczuga updated CXF-6650: ---------------------------------- Attachment: (was: SAMLwExternalSignature.txt) > SAML 2.0 SenderVouches / no 2-way TLS / XML Signature bug > --------------------------------------------------------- > > Key: CXF-6650 > URL: https://issues.apache.org/jira/browse/CXF-6650 > Project: CXF > Issue Type: Bug > Affects Versions: 3.0.6 > Reporter: Grzegorz Maczuga > Attachments: SAMLwInternalSignature.txt > > > When an Oracle Api Gateway: > - inserts a SenderVouches SAML 2.0 Assertion > - there is no 2-way TLS connection thus CXF require that both SAML Token and > SOAP Body are signed by same signature. > Then CXF server fails to accept such request in following cases: > 1) when signature is outside SAML Token element then token is considered to > be not signed by CXF SAMLTokenProcessor > 2) when signature is inside SAML Token then Signature processing fails as CXF > cannot find referenced external Body element > 3) when signature is inside SAML Token but it only signs SAML and no BODY, > then it fails Sender-vouches requirements > Workaround to this is to: > 1) Set in CXF that “not signed” SAML is OK: > <entry key="ws-security.enable.unsigned-saml-assertion.principal" > value="true" /> > 2) Enforce Signature of SAML on WSDL/WS-SecurityPolicy level: > <ns3:SignedSupportingTokens> > <ns3:WssSamlV20Token11/> > </ns3:SignedSupportingTokens> > but I believe that options 1) and 2) should normally work. -- This message was sent by Atlassian JIRA (v6.3.4#6332)