Hi, we wish to set up Picketlink as a Relying Party STS that can validate tokens issued by a particular third-party IP-STS.
I've configured handler chain of one of our web services to use the STS Security handler (org.picketlink.identity.federation.core.wstrust.handlers.STSSecurityHandler) to extract a WS-TRUST token from the SOAP message header and hand it off to an instance of Picketlink STS (the RP STS) for signature validation using the validate() web method on the PicketlinkSTS service.
I've found however that the STS appears to be hard-coded to use its own key pair for validating - i.e.it seems only to expect to have to validate tokens issue by it itself and not third-party STSs. This is evidenced by the validate() method in the class org.picketlink.identity.federation.core.wstrust.StandardRequestHandler which uses a reference to the STS Key Pair to validate the token rather than using the <saml:Issuer/> element of the SAML token to look up the public key in the ValidatingAlias map of the configuration.
Is it possible I have missed a piece of the configuration puzzle or was the STS never intended to be used as an RP-STS?
Thanks for your responses!
For you info I am using 2.7.0CR3 of your libraries.
Yes, you are right. Currently, the STS is always validating signatures using its own keypair.
I've filled a JIRA , however I'm not sure when we are going to be able to do it.