OpenSAML user discussion

["Scott Cantor" <>]

> Yes, sorry, this was my fault with the language! :-)

I think you were just mixing two steps of the problem and I wasn't sure
which one you were talking about.

> I have the Tokens returned by WS-Trust and I have to put them in
> the wsse:Security element to forward them to another webservice call.

Right. So, apparently the right way to return them from WS-Trust is with a
collection element, and as far as WSS is concerned, as I told you, you
generally have one Security header, and you just put all your tokens inside
that header.

> Client asks for a SAML Authentication assertion to a STS via WS-Trust. The
> STS asks the Attribute Authority via samlp:AttributeQuery. If the query
> returns success, the STS returns to the client the
> RequestSecurityTokenCollection containing the Auth Assertion and Attribute
> Assertion.

Keep in mind there's no clear way to get the AA to return an assertion that
is forwardable to some other entity. A query normally returns something for
use by the requester, not for somebody else. There are advanced mechanisms
involved in doing something like you're describing, and a typical AA might
not support them. This is all connected to what I meant about inventing new
protocols.

> I am not trying to inventing a new security protocol. Simply I'm trying
> to get by the horns the IHE XUA profile,

I know, but that is in fact what you're doing.

> that specifies the use of ws-trust., for getting saml assertions. I have
> this doubts because the profile does not specifies well how messages are
> formed, and I'm trying to implement it.

Then the spec is incomplete, it's that simple.

-- Scott