> When the client sends RST to STS, how does the the STS knows it is > following saml 1.0 or 2.0 and holder of key, bearer etc confirmation > method.
Look at the WSDL of the service provider: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts/wsdl/hello_world.wsdl?view=markup The content of the RequestSecurityTokenTemplate policy get copied by the client into the STS request: <sp:RequestSecurityTokenTemplate> <t:TokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 </t:TokenType> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey </t:KeyType> </sp:RequestSecurityTokenTemplate> The TokenType tells the STS whether to issue a (e.g.) SAML 1.1 or 2.0 Token. The KeyType lets the STS know what key (if any) to include in the generated token. "PublicKey" and "SymmetricKey" will result in a "holder-of-key" subject confirmation method, "Bearer" will result in a "bearer" confirmation method. Colm. On Wed, Feb 20, 2013 at 5:42 PM, kk31 <[email protected]> wrote: > Hi, > I am trying to get familiar with SAML with apache cxf sts. I have more > of generalized question. > > When the client sends RST to STS, how does the the STS knows it is > following saml 1.0 or 2.0 and holder of key, bearer etc confirmation > method. > Do we need to specify in the STS policies? > > e.g. In the STS sample that were shared along with the cxf package, by > default it generates saml 2.0 and hold of the key subject confirmation. > > When i look into the STS.wsdl in the sts samples folder, i did not > find any clue, how these parameters are passed in the RST request from > client. > > When i look into the requests that are flowing over the wire using > tcpmon, the following sequence of steps are happening. > 1. Client will request the STS wsdl > 2. once the client gets STS wsdl, then client will send RST with > RequestTokenType as > > "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; > 3. When i see the response from STS, i see that saml token 2.0 and with > hok as confirmation method > > My question in specific is How does the client knows whether > RequestTokenType is 1.0 or 2.0 in the RST > > In RSTR, how the confirmation method comes as HOK? > > > > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/saml-subject-confirmation-method-tp5723511.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
