PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Applicability of TokenInclusion Values for various security tokens
The WS-SP spec attaches a @IncludeToken for the various security tokens that are defined. The Token Inclusion values are also
enumerated in Section 5.1.1.
However, the spec does not clearly indicate the applicability of various Inclusion Values for each token.
What I mean is: Not all TokenInclusion Values defined will be applicable/pertinent to each security token.
1.) For a UsernameToken,
using TokenInclusion values of "Never", or
"AlwaysToInitiator" may not be relevant. A policy cannot use
something like "RequireKeyIdentifierReference" for
referencing UsernameTokens, so probably a UsernameToken
will always be included, and probably always sent from Initiator to Recipient.
2.) A SAMLToken may never
need to use an Inclusion value of "AlwaysToInitiator".
3.) An X509Token can use any
of these values depending on the scenario.
I propose that the spec also throw some light on this aspect in the description for @IncludeToken for each such token, so that
implementors/users get a clear idea of this.
Following quoted text could be added to the UNToken:
This optional attribute identifies the token inclusion value for this token assertion. "It is RECOMMENDED however that this
security token uses the "Always", "AlwaysToRecipient", "Once" inclusion values".
Similar text can be added for the remaining tokens wherever applicable.
The schema can still use the "IncludeTokenType", but the documentation IMO could be a little clearer.