On 06/03/13 17:22, geecxf wrote:
No. I am talking about metadata used to exchange out-of-band information
about what asserting party a relying party should trust and what relying
party an asserting provider should issue tokens for.
Currently, in CXF you establish trust between the relying party and the
asserting provider (i.e. service provider and identity provider) by
exchanging certificates out-of-band. This gives the service provider a way
to ascertain that the SAML token was not tampered with. However, the service
provider may want to validate other aspects of the assertion such as the
issuer id and audience restriction. Conversely, you may want to tightly
control what relying parties an STS will issue tokens for. You may also want
to associate a public certificate with the relying party so that the STS can
encrypt parts of the assertion so that only the relying party can use them.
The SAML metadata specification describes a "standard" way to share this
kind of information between the relying party and the asserting party.
Technically speaking, you could come up with your own way of sharing that
information but SAML metadata makes life easier to share.
Does it imply the metadata exchange must've happened before the RP
endpoints have been started ?
It seems that if it happens via a back channel while trying to validate
a given client's request, then it will affect the performance ?
Cheers, Sergey
--
View this message in context:
http://cxf.547215.n5.nabble.com/SAML-metadata-tp5723816p5724147.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
