OpenSAML user discussion

["Scott Cantor" <>]

> The problem is still the same: if we don't accept two assertion in one
> <RequestedSecurityToken /> element, how can I add two assertions
> in <wsse:Security /> element?

WS-Trust message elements don't belong in headers. I've seen them do it, but
I think it looks ridiculous. What you were dealing with is how to return
them from the WS-Trust server, and that's not in a header, it's the body.

If you want to attach two assertions later, you put them both in the
Security header, that's all. Possibly inside STRs, I guess, depends on the
situation.

> I can put two Security headers and reference them as tokens, but ?

You can't have two Security headers, IIRC. The one header is just a big pile
of "stuff", tokens, signatures, encrypted stuff, keys, etc.

> I know, since there are no profiles, I can do what I want in principle,
> but I would like to know also your opinion.

My opinion is you should avoid inventing security protocols. Look at fully
formed specs that use WS-Security and if they don't do what you need, you
could adjust or extend those rather than inventing a whole new pile of
stuff.

-- Scott