Hi, Nandana Mihindukulasooriya wrote:
Hi Joana,I implemented a SAMLTokenValidator using the org.apache.rahas.TokenValidatorinterface. I am returning a SOAP envelope containing a Status token with the Code set to either valid or invalid, according to the WS-Trust specification [1].Great. Can you create a patch and attach it to the JIRA issue so that you can contribute the source to the community.My questions now are: 1.) Is it enough to just verify the Issuer's signature to state the token is valid? I've taken this approach as recommended in [3]:I also think this will be enough. But I think we should go through the SAML token profile - [1] too to be on the safe side. If SAML v1.1 token is to be validated, What about the <saml:Conditions NotBefore="XXX" NotOnOrAfter="XXX"/>. Do we have to take it in to consideration too when we returning the token validity ?
+1I think we have to validate this in addition to verifying the signature of the token and making sure it is the issuer's cert that is used to sign it.
Thanks, Ruchith
signature.asc
Description: OpenPGP digital signature
