I'll be sure to share whatever I learn if we are tasked to implement this kind of functionality. So far our product owners are saying this is not strictly necessary but that could change.
Regarding OAuth, the last time I read the specification it was essentially token agnostic. Other than the fact that the token should be compact so that you can pass it in redirects and headers, the specification really says nothing about what token format to use. I think JWT is what most people are using but I've also seen implementations that return SAML assertions. MS also has a Simple Web Token (SWT) format which is a basically JWT light. But I digress. -- View this message in context: http://cxf.547215.n5.nabble.com/SAML-metadata-tp5723816p5724286.html Sent from the cxf-user mailing list archive at Nabble.com.
