The three assertions are definitely created by the client (by me). Can't understand that layout, but never used SAML before so can't tell if it's usual or not. I guess the service provider didn't do, either. We are slowly collaborating on getting the thing done and I hope we can improve the server part together but ultimately I can't contribute to the broken code.
In the unlikely case it will ever help someone, I'll share here the code I used to work around this problem by manually adding three SAML assertions to the SOAP header: https://gist.github.com/anonymous/c9d609103100146506e7b6d1dd168afe Il giorno lun 20 mar 2017 alle ore 13:25 Colm O hEigeartaigh < [email protected]> ha scritto: > What I meant was why are there three assertions in the security header > (and not one)? Are the assertions meant to be created by the client or > obtained from a third-party service of some kind? > > Colm. > > On Mon, Mar 20, 2017 at 12:09 PM, Raffaele Sgarro < > [email protected]> wrote: > > Hi Colm, > > thanks for your valuable insights. Indeed the WSDL is broken in a number > of ways but comes from the service provider and I don't think it will be > fixed anytime soon. I worked around it a number of ways: added a > ManualSAMLOutInterceptor, enabled the WSAddressing feature, and counting... > > Just for curiosity, what do you mean by "The example request contains > three SAML Assertions. This is also rather unusual...who is supposed to > be providing these Assertions?"? > > Il giorno lun 20 mar 2017 alle ore 12:37 Colm O hEigeartaigh < > [email protected]> ha scritto: > > The security policy in the WSDL is unusual to say the least. It defines an > AsymmetricBinding policy, but no SignedParts/EncryptedParts so no security > is actually applied to the SOAP request. I find it hard to believe that > this is the desired behaviour? > > The example request contains three SAML Assertions. This is also rather > unusual...who is supposed to be providing these Assertions? The SAML > CallbackHandler is not called by the way, because there is no SamlToken > policy in the WSDL. > > Colm. > > On Thu, Mar 16, 2017 at 7:19 AM, Raffaele Sgarro <[email protected] > > > wrote: > > > I have this web service that requires SAML assertions: > > > > - Example request: https://hastebin.com/uducuyobuv.xml > > - WSDL: https://hastebin.com/yapotuqiqu.wsdl > > - XSD: https://hastebin.com/udoworowig.xsd > > > > I put a CallbackHandler in the SecurityConstants.SAML_CALLBACK_HANDLER > key > > but it is never called. > > > > It seems to me that the security policy does not reference SAML in any > way, > > so I may need to manually configure CXF. But how? > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
