I've been looking at using SAML tokens signed by the issuer to authorize
access to a service. We're planning to use bearer confirmation, and keep
the tokens secure by always using secure transport (without any
message-level signing or encryption). I've got two questions in regard
to this configuration:
1. Can the WS-SecurityPolicy for the services be structured to require
the presence of a SAML token signed by a particular issuer (as
identified by an X.509 certificate)?
2. Is there anything in the WS-Security specification or related
specifications which require services to verify the issuer signature of
a SAML token used in this way?
This publicly archived list offers a means to provide input to the
OASIS Web Services Secure Exchange (WS-SX) TC.
In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required