0 Replies Latest reply on Dec 27, 2011 12:55 PM by aida.sp

    PicketLink STS with a client that isn't aware of the policies of the server side

    aida.sp Newbie


      After working with some examples (like http://community.jboss.org/wiki/SAMLEJBIntegrationWithPicketLinkSTS) and reading some articles I have "found" an scenario I don´t know how to deal with.


      The article http://community.jboss.org/wiki/PicketLinkSecurityTokenService talks about the Web Services Trust Model. The first two steps (message flow) are:


      1. The client sends a SOAP message to the Web Service

      2. The Web service has a policy that requires a token. Upon receiving the request, the service checks if it has a security token. If the token is absent, the Web service asks the client to obtain a token from a trusted STS.


      In the examples, the client side is aware of what kind of token the STS has to provide, but I wonder if there is any kind of handler or configuration to deal with this scenario, in which the client doesn´t know anything about the server side policies until the WS asks to obtain a token.


      Thanks in advance.