On the following blog post I describe the relation between SAML subject confirmation methods and the role of STS: http://owulff.blogspot.ch/2012/02/saml-tokens-and-ws-trust-security-token.html
I also describe some SAML sender-vouches use cases here: http://owulff.blogspot.ch/2012/03/saml-sender-vouches-use-case.html HTH Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Colm O hEigeartaigh [[email protected]] Sent: 22 February 2013 17:42 To: [email protected] Subject: Re: saml subject confirmation method Did you read my original email? The KeyType + TokenType are specified in the policy of the provider, not the STS. Colm. Look at the WSDL of the service provider: > > > http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts/wsdl/hello_world.wsdl?view=markup > > The content of the RequestSecurityTokenTemplate policy get copied by the > client into the STS request: > > <sp: > RequestSecurityTokenTemplate> > <t:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > </t:TokenType> > <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey > </t:KeyType> > </sp:RequestSecurityTokenTemplate> > On Fri, Feb 22, 2013 at 4:24 PM, kk31 <[email protected]> wrote: > Thanks for clarifying about sender-voucher confirmation method > But the examples that were shared in apache cxf 2.72. there is is no > clue about HOK confirmation method in the policy. > > I have downloaded the cxf from the following url > > http://cxf.apache.org/download.html > > if you go to the > apache-cxf-2.7.2\samples\sts\wsdl\ws-trust-1.4-service.wsdl i dont see any > information about keyType and token type in the policy. > > Can you please let me know what is the element that will tell its > Saml > 2.0 and HOK is the confirmation method. > > > I am attaching the wsdl > > > > <?xml version="1.0" encoding="UTF-8"?> > <wsdl:definitions > targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/ > " > xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";> > > > > <wsdl:types> > <xs:schema elementFormDefault="qualified" > targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'> > > <xs:element name='RequestSecurityToken' > type='wst:AbstractRequestSecurityTokenType' /> > <xs:element name='RequestSecurityTokenResponse' > type='wst:AbstractRequestSecurityTokenType' /> > > <xs:complexType name='AbstractRequestSecurityTokenType' > > <xs:sequence> > <xs:any namespace='##any' processContents='lax' minOccurs='0' > maxOccurs='unbounded' /> > </xs:sequence> > <xs:attribute name='Context' type='xs:anyURI' use='optional' /> > <xs:anyAttribute namespace='##other' processContents='lax' /> > </xs:complexType> > <xs:element name='RequestSecurityTokenCollection' > type='wst:RequestSecurityTokenCollectionType' /> > <xs:complexType name='RequestSecurityTokenCollectionType' > > <xs:sequence> > <xs:element name='RequestSecurityToken' > type='wst:AbstractRequestSecurityTokenType' minOccurs='2' > maxOccurs='unbounded'/> > </xs:sequence> > </xs:complexType> > > <xs:element name='RequestSecurityTokenResponseCollection' > type='wst:RequestSecurityTokenResponseCollectionType' /> > <xs:complexType name='RequestSecurityTokenResponseCollectionType' > > <xs:sequence> > <xs:element ref='wst:RequestSecurityTokenResponse' minOccurs='1' > maxOccurs='unbounded' /> > </xs:sequence> > <xs:anyAttribute namespace='##other' processContents='lax' /> > </xs:complexType> > > </xs:schema> > </wsdl:types> > > > <wsdl:message name="RequestSecurityTokenMsg"> > <wsdl:part name="request" element="wst:RequestSecurityToken" /> > </wsdl:message> > <wsdl:message name="RequestSecurityTokenResponseMsg"> > <wsdl:part name="response" > element="wst:RequestSecurityTokenResponse" /> > </wsdl:message> > <wsdl:message name="RequestSecurityTokenCollectionMsg"> > <wsdl:part name="requestCollection" > element="wst:RequestSecurityTokenCollection"/> > </wsdl:message> > <wsdl:message name="RequestSecurityTokenResponseCollectionMsg"> > <wsdl:part name="responseCollection" > element="wst:RequestSecurityTokenResponseCollection"/> > </wsdl:message> > > > <wsdl:portType name="WSSecurityRequestor"> > <wsdl:operation name="Challenge"> > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> > <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > </wsdl:portType> > > > <wsdl:portType name="STS"> > <wsdl:operation name="Cancel"> > <wsdl:input > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="Issue"> > <wsdl:input > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal"; > message="tns:RequestSecurityTokenResponseCollectionMsg"/> > </wsdl:operation> > <wsdl:operation name="Renew"> > <wsdl:input > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="Validate"> > <wsdl:input > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate > " > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="KeyExchangeToken"> > <wsdl:input > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="RequestCollection"> > <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/> > <wsdl:output > message="tns:RequestSecurityTokenResponseCollectionMsg"/> > </wsdl:operation> > </wsdl:portType> > > > <wsdl:portType name="SecurityTokenResponseService"> > <wsdl:operation name="RequestSecurityTokenResponse"> > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > </wsdl:portType> > > <wsdl:binding name="UT_Binding" type="wstrust:STS"> > <wsp:PolicyReference URI="#UT_policy" /> > <soap:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="Issue"> > <soap:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; > /> > <wsdl:input> > <wsp:PolicyReference > URI="#Input_policy" /> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output> > <wsp:PolicyReference > URI="#Output_policy" /> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Validate"> > <soap:operation > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"; > /> > <wsdl:input> > <wsp:PolicyReference > URI="#Input_policy" /> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output> > <wsp:PolicyReference > URI="#Output_policy" /> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Cancel"> > <soap:operation > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; > /> > <wsdl:input> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Renew"> > <soap:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; > /> > <wsdl:input> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="KeyExchangeToken"> > <soap:operation > > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"; > /> > <wsdl:input> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="RequestCollection"> > <soap:operation > > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"; > /> > <wsdl:input> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > > <wsdl:service name="SecurityTokenService"> > <wsdl:port name="UT_Port" binding="tns:UT_Binding"> > <soap:address > location="http://localhost:8080/SecurityTokenService/UT"; /> > </wsdl:port> > </wsdl:service> > > <wsp:Policy wsu:Id="UT_policy"> > <wsp:ExactlyOne> > <wsp:All> > <wsap10:UsingAddressing/> > <sp:SymmetricBinding > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:X509Token > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > > <wsp:Policy> > <sp:RequireDerivedKeys /> > <sp:RequireThumbprintReference /> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:EncryptSignature /> > <sp:OnlySignEntireHeadersAndBody /> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:SignedSupportingTokens > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:UsernameToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssUsernameToken10 /> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > <sp:Wss11 > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13 > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust13> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > <wsp:Policy wsu:Id="Input_policy"> > <wsp:ExactlyOne> > <wsp:All> > > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > <wsp:Policy wsu:Id="Output_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body /> > <sp:Header Name="To" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="From" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="FaultTo" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="ReplyTo" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="MessageID" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="RelatesTo" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="Action" > Namespace="http://www.w3.org/2005/08/addressing"; /> > </sp:SignedParts> > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > </wsdl:definitions> > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/saml-subject-confirmation-method-tp5723511p5723589.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
