Hi Frizz, Very briefly: in case of asymmetric binding, client signs parts of request to STS service with own private key (timestamp, WS-Addressing headers, message body). STS verifies the signature with client's certificate and ensures that clients owns appropriate private key. After that STS creates SAML with client certificate as SubjectConfirmation. Additionally STS can encrypt the RSTR with SAML using client certificate, therefore only client with appropriate private key can use the SAML.
Alternatives are symmetric and transport (SSL based) proof-of-possession. See following blog for details: http://owulff.blogspot.de/2012/02/saml-tokens-and-ws-trust-security-token.html . Regards, Andrei. > -----Original Message----- > From: Frizz [mailto:[email protected]] > Sent: Sonntag, 22. Februar 2015 09:39 > To: [email protected] > Subject: STS with X.509 based authentication: How does proof-of-possession > work? > > I'd like to use CXF STS in an X.509 authentication based scenario. What I > don't > understand right now is how it does proof-of-possession. I mean anyone can > present a certificate to the STS - it does not mean that she has the private > key. > > How does this work in CXF?
