Hi Christian
On 27/11/13 10:45, Christian Metzler wrote:
Hi Sergey, hi Colm,
Am 27.11.2013 11:31, schrieb Sergey Beryozkin:
I can see that it is a bearer assertion, which is where KeyInfo is
optional, right ?
That's not what I understand when reading the SAML2 Specification:
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Page 70, Section 5.4.5 KeyInfo
XML Signature defines usage of the <ds:KeyInfo> element. SAML does not
require the use of
<ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore,
<ds:KeyInfo> MAY be
absent.
So IMHO the KeyInfo is completely optional.
Yes, true at the XML Signature level, but we need to bear in mind that
in the WS space (which is where WSS4J is primarily used and this is also
used under the hood by CXF RS right now), SAML assertions are not bearer
tokens, they are holder-of-key or sender vouches, I can see
https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
mentions a bearer type, but I'm not sure it really ever features in WS
exchanges, the fact that it is the first time we see this issue suggests
it :-).
So we can tackle it at the CXF (JAX-RS security) level only
Cheers, Sergey
Regards,
Christian
