[
https://issues.apache.org/jira/browse/CXF-6650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed CXF-6650.
------------------------------------
> SAML 2.0 SenderVouches / no 2-way TLS / XML Signature bug
> ---------------------------------------------------------
>
> Key: CXF-6650
> URL: https://issues.apache.org/jira/browse/CXF-6650
> Project: CXF
> Issue Type: Bug
> Affects Versions: 3.0.6
> Reporter: Grzegorz Maczuga
> Assignee: Colm O hEigeartaigh
> Attachments: SAMLwExternalSignature.txt, SAMLwInternalSignature.txt
>
>
> When an Oracle Api Gateway:
> - inserts a SenderVouches SAML 2.0 Assertion
> - there is no 2-way TLS connection thus CXF require that both SAML Token and
> SOAP Body are signed by same signature.
> Then CXF server fails to accept such request in following cases:
> 1) when signature is outside SAML Token element then token is considered to
> be not signed by CXF SAMLTokenProcessor
> 2) when signature is inside SAML Token then Signature processing fails as CXF
> cannot find referenced external Body element
> 3) when signature is inside SAML Token but it only signs SAML and no BODY,
> then it fails Sender-vouches requirements
> Workaround to this is to:
> 1) Set in CXF that “not signed” SAML is OK:
> <entry key="ws-security.enable.unsigned-saml-assertion.principal"
> value="true" />
> 2) Enforce Signature of SAML on WSDL/WS-SecurityPolicy level:
> <ns3:SignedSupportingTokens>
> <ns3:WssSamlV20Token11/>
> </ns3:SignedSupportingTokens>
> but I believe that options 1) and 2) should normally work.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
