Why does the STS have a SecureConversation policy in place? This seems strange to me, as the client will cache the token it gets from the STS anyway.
Colm. On Wed, Jun 5, 2013 at 8:07 PM, DTaylor <[email protected]> wrote: > Thanks Colm, Andrei & Daniel for your answers to those questions. > > I'm having a bit of trouble getting secure conversation working with SAML > assertions on my service and I'm wondering if someone could lend some > assistance. > > I wanted to make sure my initial assumptions are correct before I go much > further. > We have an STS, service and client, all written in Java for now (C# interop > coming later), where we want to create a SAML token and SCT at the STS > (SAML > token being based off an incoming username token). > > For the STS: > 1) We need a port with a non-SecureConversation policy which receives a > SignedEncryptedSupportingToken of type UsernameToken in order to create the > SAML token. > 2) We need a port with a SecureConversation policy in place. > 3) The configuration needs to be provided for the various encryption and > signature parameters (regular and .sct versions). > > For the Service: > 1) We need a port with a SecureConversation policy which is secured by the > SAML token from STS (1) above. > 2) We need the correct configuration for the various encryption and > signature parameters (regular and .sct versions). > > For the client: > 1) We need an STS client pointing to the non-SecureConversation port which > will be used to retrieve the SAML token. > 2) We need an STS client pointing to the SecureConversation port which will > be used to retrieve the SecureConversation token. > 3) A configuration entry for the spring client which is used to access the > secure conversation enabled port of the service, with the property entry > "ws-security.sts.client" value pointing to the port from STS (1) above and > a > property entry "ws-security.sts.client.sct" value pointing to the port from > STS(2) above. > 4) A configuration entry for the spring client which has the non-SCT > username and passwords for the certificates being used. > 5) A configuration entry for the spring client which has the non-SCT > username and passwords for the UsernameToken for STS(1) above. > > I know that's a lot to ask and a giant pain but I want to make sure I'm not > missing anything or having an incorrect base assumption before asking more > detailed questions re my WSDLs and configs, etc. > > Thanks, > Dan > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/WS-SecureConversation-and-SAML-assertions-tp5728643p5728809.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
