Comment 0 for bug 1689424

Allow custom EndpointReference in ADFSPassword

The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurityToken message to the value 'self.service_provider_endpoint'.

The WS-Trust specification states that the WS-PolicyAttachment [2] 'AppliesTo' "...element specifies the scope for which this security token is desired" [1]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be be desirable if the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse differs from the Service
Provider's SAML entity ID.

This commit introduces the ability to modify the EndpointReference in the RequestSecurityToken message via the 'service_provider_entity_id' variable. If omitted, the value defaults to 'service_provider_endpoint' to preserve backward compatibility.

[1] http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064957
[2] https://www.w3.org/Submission/WS-PolicyAttachment/#ExternalAttachmentDeployedEndpoints