Hi all, I've got some question about rampart sample 05, using the sts service.
In the client the sts service is first called then the token is inserted in the header and sent to the target service, my question is how does the target service know that this token was issued by the sts service, is this inside the SAML assertion? I'm sorry but I can't get my head around this. I would guess that the digital signature from the request to the target service from the client is based on the soap body for that request so this one <ns1:echo xmlns:ns1="http://sample05.policy.samples.rampart.apache.org";> <param0>Hello world1</param0> </ns1:echo> And if the target service is validating the SAML assertion and seeing that the signature info in this is signed by the sts, how would one approach it, if the target service does not accept a SAML token, or maybe a SMAL 2 token. Sorry if I did not phrase the question good enough, but hopefully someone can debug it and answer. My naive idea is something like this: get token form sts signed, copy it to the head of the next request to the target service, the target service uses the public key to verify the signature and extract the token and on the basis of this performs authrization operation. Is this correct way of thinking about it? cheers, Håkon -- Håkon Sagehaug, Scientific Programmer Parallab, Bergen Center for Computational Science (BCCS) UNIFOB AS (University of Bergen Research Company)
