SAML audience workaround for SOAP - 6.3

Talend ESB Service Developer Guide

Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
Design and Development
Installation and Upgrade
Talend ESB

A new security feature named audience restriction check has been introduced in CXF 3. However, this feature is supported only in CXF versions 3.2.0 and above. Using it in earlier CXF versions causes security failures when using SAML with JMS.

As the support for audience restriction check with JMS is available only with CXF 3.2.0, a workaround that allows running SAML with JMS is needed. Setting the JAX-WS property security.sts.applies-to to the value of the QName on the consumer side, is the workaround that applies to this scenario.

For example, in case of Spring configuration, the property can be configured in the JAX-WS properties section of the consumer configuration like this:

<entry key="security.sts.applies-to" value="{}LibraryProvider"/>

The full example can be found in Library Service example: <TESB-HOME>/examples/tesb/library-service