Thanks for the reply but I think I was misunderstood since I was not clear on the point. By validating the token, I did not mean validating the structure and format of the token but rather validate that the token was not tampered with, that it is issued by the trusted third party and issued for the user submitting it.probably a better wording would be validating the assertions? I am not sure what terms are used with thisSo when the service receives the token from the client, what does it do to the token exactly? Does rampart use PKI in this process or does it contact the STS that issued the token? Sincerely,
From: mgai...@hotmail.com To: java-dev@axis.apache.org Subject: RE: How are SAML tokens validated? Date: Tue, 11 Sep 2012 07:10:17 -0400 the policy.xml <sp:RequestSecurityTokenTemplate> tokenType must be ONE of the SAML Constants (from org.apache.rahas.RahasConstants) http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 *OR* http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 e.g. <sp:RequestSecurityTokenTemplate> <t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType> <sp:RequestSecurityTokenTemplate> <t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> Martin Gainty ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Tue, 11 Sep 2012 11:12:43 +0400 > Subject: How are SAML tokens validated? > From: firestorm5...@gmail.com > To: java-dev@axis.apache.org > > I am trying to use SAML tokens in my project but I need more > information on the method used to validate the tokens. Since > validating tokens is outside of the scope of SAML token specifications > I am not sure which method is used in rampart. > Is there more than one way to validate tokens? and which methods are > supported in rampart? > > > Thanks > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org > For additional commands, e-mail: java-dev-h...@axis.apache.org >
