OpenSAML user discussion

[Brent Putman <>]

On 3/18/11 7:26 AM, Enrique Sabatel wrote:

However, when i change the SecurityTokenReference to Embedded, like this:

<wsse:SecurityTokenReference>
                                    <wsse:Embedded>
                                       <wsse:BinarySecurityToken xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SomeCert">MIIC....1M=</wsse:BinarySecurityToken>
                                    </wsse:Embedded>
</wsse:SecurityTokenReference>

This ostensibly looks fine to me, although I'm not a WS-Security guru.

I get this error

An error was discovered processing the <wsse:Security> header (Unsupported key identification)

Presumably this error is being generated by some code other than OpenSAML, that is processing what you are creating?  I can't find that our code would ever emit such a message.  Indeed, we don't really have any support for WS-S processing, just for the XML-Java bindings.

Shouldnt this kind of token reference be supported?? Or am i missing something?

AFAIK, it's legal (at least syntactically), but it's really probably up to the profile (implicit or otherwise) that's implemented by the recipient of the WS-S message that you are generating.  You probably need to ask them what they do and don't support.