Sorry looks like I posted the ws-trust request before and not the response.
Here is the response. I also unchecked that box on our STS and set its lifetime on the SAML token it returns to 7 minutes to match the NotOnOrAfter and it now has a lifetime element, but I am still getting the same error of token expired when I tried another request at 1:12pm. Perhaps the lifetime is too close and should be less, so I am trying 4 minutes now. But I am confused as I thought the expiry of a SAML token was directly related to the SAML condition of NotOnOrAfter. I am no expert in the ws-trust and SAML spec, but if lifetime is not provided then shouldn't CXF isExpired method also check the NotOnOrAfter as well? RSTR: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> <soap:Body> <wst:RequestSecurityTokenResponse xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";> <wst:RequestedSecurityToken> <saml2:Assertion ID="SamlAssertion-4b473c86a1e09239721027a1f3b3e07c" IssueInstant="2014-04-24T18:06:11.661Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer>http://sts.dev.mycompany.com:8080/sts_ut</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#SamlAssertion-4b473c86a1e09239721027a1f3b3e07c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>eJCXNdhnR...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>MVTJysD4BbDjX...</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <X509Data> <X509SubjectName>[email protected],CN=mystsserver.com,OU=ITG,O=Some Company,L=Chicago,ST=Illinois,C=US</X509SubjectName> <X509Certificate>MIIHmDCCBoCg...</X509Certificate> </X509Data> </KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="">EAA0001</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/> </saml2:Subject> <saml2:Conditions NotBefore="2014-04-24T18:04:11.661Z" NotOnOrAfter="2014-04-24T18:11:11.662Z"/> <saml2:AttributeStatement> <saml2:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue>cn=RFT,ou=SomeCompany,ou=Authorities,ou=SomeCompany,ou=SERVICES,o=INTLDAP</saml2:AttributeValue> </saml2:AttributeStatement> <saml2:AuthnStatement AuthnInstant="2014-04-24T18:06:11.661Z"> <saml2:SubjectLocality Address="10.99.99.99"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </wst:RequestedSecurityToken> <wst:Lifetime> <wsu:Created>2014-04-24T18:06:11.702Z</wsu:Created> <wsu:Expires>2014-04-24T18:13:11.702Z</wsu:Expires> </wst:Lifetime> </wst:RequestSecurityTokenResponse> </soap:Body> </soap:Envelope> -- View this message in context: http://cxf.547215.n5.nabble.com/Clarification-of-CXF-client-handling-of-expired-cached-tokens-tp5743216p5743262.html Sent from the cxf-user mailing list archive at Nabble.com.
