Enforcing proof-of-possession
Recall that the TokenCanceller interface has a setVerifyProofOfPossession method which defines whether proof-of-possession is required or not to cancel a security token. The default value for the SCTCanceller is true.
This means that for the client to successfully cancel a SecurityContextToken it must prove to the STS that it knows the secret key associated with that SecurityContextToken. The client must do this by signing some portion of the request with the same secret key that the SCTCanceller retrieves from the security token stored in the cache.
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!