If an RST contains an ActAs element that contains a SAML Assertion, the STS is supposed to stick that Assertion into the Advice element of the new Assertion it is creating. The STS doesn't do that by default but as I recall I implemented a SAML custom handler to do that. What the STS does do by default (in DefaultSubjectProvider), is if the generated Assertion has Advice, then the Subject/NameID element in the generated Assertion is set to be the same as the Subject of the Advice Assertion. I was looking for a specification reason for why that was, because I was getting asked about it; I think I found what I was looking for but of course I can't find it now :P
Thanx, SwC -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Thursday, February 16, 2017 11:57 AM To: [email protected] Subject: Re: CXF STS ActAs / Advice Subject Handling Hi Stephen, The STS does not currently handle "Advice" Elements by default. What relationship is there in your use-case between "Advice" and "ActAs"? Colm. On Fri, Feb 10, 2017 at 1:23 PM, <[email protected]> wrote: > Hi - > > When I send an RST to my STS (CXF 2.7.14) to get a holder-of-key token > with Advice, it looks like the token I get back has a Subject that > matches the X509 cert in the Advice rather than its own cert. It looks > like it's supposed to be this way based on what I see in > DefaultSubjectProvider, is that correct? Is that spelled out in > ws-trust or one of the saml specs somewhere? It makes sense to me that > it should work that way, but I'm getting some questions about it and > would like be able to point to something that says why it is that way. > > Thanx, > > Stephen W. Chappell > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
