The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurityToken message to the value 'self.service_provider_endpoint'.
The WS-Trust specification states that the WS-PolicyAttachment [2] 'AppliesTo' "...element specifies the scope for which this security token is desired" [1]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be be desirable if the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse differs from the Service
Provider's SAML entity ID.
This commit introduces the ability to modify the EndpointReference in the RequestSecurityToken message via the 'service_provider_entity_id' variable. If omitted, the value defaults to 'service_provider_endpoint' to preserve backward compatibility.
Allow custom EndpointReference in ADFSPassword
The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurity Token message to the value 'self.service_ provider_ endpoint' .
The WS-Trust specification states that the WS-PolicyAttachment [2] 'AppliesTo' "...element specifies the scope for which this security token is desired" [1]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be be desirable if the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurity TokenResponse differs from the Service
Provider's SAML entity ID.
This commit introduces the ability to modify the EndpointReference in the RequestSecurity Token message via the 'service_ provider_ entity_ id' variable. If omitted, the value defaults to 'service_ provider_ endpoint' to preserve backward compatibility.
[1] http:// docs.oasis- open.org/ ws-sx/ws- trust/200512/ ws-trust- 1.3-os. html#_Toc162064 957 /www.w3. org/Submission/ WS-PolicyAttach ment/#ExternalA ttachmentDeploy edEndpoints
[2] https:/