OK, understood so far. Next thing is holder-of-key: I am referring to this WS-Trust article here: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Web_Services_Security_Guide/files/WsTrust-BasicScenario.html
It says, for the holder-of-key scenario (PublicKey variant): "The client must prove to the WS server that it possesses a particular private key." " ... The server attempts to authenticate the client (by requiring a client X.509 certificate or by UsernameToken credentials) and checks that the client's identity matches the holder-of-key identity. ..." Is this really true? I mean if I have to provide a SAML token AND a UsernameToken (or X.509 cert) this kinda contradicts the idea of an STS, no? On Sun, Feb 22, 2015 at 5:53 PM, Andrei Shakirin <ashaki...@talend.com> wrote: > Hi Frizz, > > Very briefly: in case of asymmetric binding, client signs parts of request > to STS service with own private key (timestamp, WS-Addressing headers, > message body). > STS verifies the signature with client's certificate and ensures that > clients owns appropriate private key. After that STS creates SAML with > client certificate as SubjectConfirmation. > Additionally STS can encrypt the RSTR with SAML using client certificate, > therefore only client with appropriate private key can use the SAML. > > Alternatives are symmetric and transport (SSL based) proof-of-possession. > See following blog for details: > http://owulff.blogspot.de/2012/02/saml-tokens-and-ws-trust-security-token.html > . > > Regards, > Andrei. > > > -----Original Message----- > > From: Frizz [mailto:frizzthe...@googlemail.com] > > Sent: Sonntag, 22. Februar 2015 09:39 > > To: users@cxf.apache.org > > Subject: STS with X.509 based authentication: How does > proof-of-possession > > work? > > > > I'd like to use CXF STS in an X.509 authentication based scenario. What > I don't > > understand right now is how it does proof-of-possession. I mean anyone > can > > present a certificate to the STS - it does not mean that she has the > private key. > > > > How does this work in CXF? >