SAML Token checking

When setting up “Client SSL” between the API Proxy and the APIs, can it be combined with the SAML option to pass a SAML token at Layer 5?

http://docs.apigee.com/api-services/reference/saml-assertion-policy suggests that all that is validated for SAML assertions is that the component generating it is trusted (i.e. its public key certificate is in the truststore. Are there other checks it can perform, such as validating signatures?

0 2 269
2 REPLIES 2

Not sure if i understand your question -

> If you want to use saml token across the session - you could set them as cookies in http

> SAML assertion policy verifies the signature [along with assertion validity] and also checks if the cert is trusted [present in the trust store]

Thanks,

Do you have an example of some code that extracts the data from the cookie and validates the token?