tag:blogger.com,1999:blog-7391783704166348052.post7659066988475722523..comments2024-03-15T22:26:58.542-07:00Comments on Open Source Security: Renewing SAML Tokens in the Apache CXF STSColm O hEigeartaighhttp://www.blogger.com/profile/10711987281965801793noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7391783704166348052.post-73136416290949138652013-04-12T07:42:16.040-07:002013-04-12T07:42:16.040-07:00
Yes, this interpretation is correct. You can auth...<br />Yes, this interpretation is correct. You can authenticate using any token that conforms to the WS-SecurityPolicy requirement of the STS port that is in operation. However, you must present the token to be renewed in either the security header (+ reference it in the RST), or else put the token in the RST directly. <br /><br />So yes, you could in theory use (another) valid SAML Token to renew a SAML Token, by placing the valid SAML Token in the security header, and putting the expired token to be renewed in the RST. You would need to disable proof of possession I guess in the SAMLTokenRenewer as well.<br /><br />Colm.Colm O hEigeartaighhttps://www.blogger.com/profile/10711987281965801793noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-45196895180878542942013-04-11T08:19:54.182-07:002013-04-11T08:19:54.182-07:00Hi Colm,
I have a question that relates to your s...Hi Colm,<br /><br />I have a question that relates to your statement: "Assuming that the client request is authenticated and well-formed". I'm interpreting this as meaning that the request to renew the token must itself contain some valid token in the WS-Security header that enables successful authentication and authorization with the STS for the purpose of token renewal.<br /><br />For example, I'm assuming that a service wishing to renew a token (perhaps so it could propagate it to another service) could make the request using a BST tied to its certificate credentials. Is this correct?<br /><br />Similarly, I am assuming that you could use another valid SAML token to renew an expired SAML token. Is this also correct?<br /><br />Thank you, in general, for the great work and support for this feature.Reaperhttps://www.blogger.com/profile/09230258417939058697noreply@blogger.com