Ok I've merged a fix for this problem + a working test-case to CXF, if you could test with the updated code that'd be great. You need to make a few changes to your client configuration. The STSClient configuration is for the STS that the client "knows" about. I've added a new jax-ws property called "ws-security.sts.prefer-wsmex" (which defaults to false) which must be set to true.
The way it works is that when this variable is set to true, the client does not use the configured STSClient to contact the initial STS via WS-MEX. If the returned service has an IssuedToken policy, then the STSClient is used to obtain a token from this STS, and then this token is used to obtain another token from the other STS instance, which in turn is sent to the service. Testcase here: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain;h=3cbc6828505c2093c6537dfb0e0bd19db3c7b566;hb=2.7.x-fixes https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain;h=b558a26b250a93f4b3aaab3a7feec3b4b89ca44c;hb=2.7.x-fixes Colm. On Mon, Jun 23, 2014 at 1:11 PM, roband915 <[email protected]> wrote: > The somewhat complex environment consist of the web application (on Tomcat) > that is configured using a proxy Shibboleth SP (on an Apache) and this in > turn is configured to request a SAML-assertion from the ADFS. > > The user then calls a WS-trust enabled web service and this is where the > CXF > magic should happen. > > I believe the IssuedToken-Port on the ADFS is the correct one to use. > > The "blurry" part is how the connection made in WS-trust between the issued > token and the existing assertion in the STS. > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Issue-with-WS-Trust-using-security-tokens-SAML-assertions-tp5744142p5745487.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
