Multiple SAML assertions in SOAP request
According to Shyam's post http://forums.java.net/jive/thread.jspa?messageID=227078𷜆 it should be possible to request one SAML assertion via sp:IssuedToken in sp:ProtectionToken in sp:SymmetricBinding and an additional one via sp:SignedSupportingTokens.
In a first stept I tried to request a UsernameToken. The resulting WSDL is similar to the policy referenced in WS-SecurityPolicy, chapter "C.2.1 Policy". The test runs well: on client side the usernameHandler was invoked, and the request contains a wsse:UsernameToken.
Thus I assumed the actual mechnism is available.
In the next step I added a sp:IssuedToken assertion (with the same sp:RequestSecurityTokenTemplate as the sp:IssuedToken in sp:SymmetricBinding uses) and rerun the test. In the log I saw a lot of additional RST / RSTR stuff (additional means: additional to the usual RST / RSTR stuff necessary requesting the SAML assertion for the sp:ProtectionToken).
The resulting request contains (as above) the wsse:UsernameToken and the SAML assertion requested by sp:ProtectionToken. But it did not contain the additional SAML assertion.
Furthermore the Web service blames me "Could not find Reference #uuid_9bf2047f-4c15-410a-a1b2-8b2da2d1cb2f under Signature with ID_1". It seems that on client side the SAML assertion was included in the signature computation, but it is not injected into the actual request. Note that the ds:Signature contains the reference to the wsse:UsernameToken and wsse:UsernameToken is present in the request.
I am using nightly build 2007-10-11 on client side and build 2007-09-04 on server side.