You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@synapse.apache.org by cmurali <ch...@sddc.army.mil> on 2007/10/22 16:59:46 UTC
Confugring rampart/Rahas for producing and processing SAML
messages.
Hi,
I am trying to find a complete example to setup synapse/rampart/rahas for
mainly processing SAML messages. I am also looking for sample client code
for testing both the producer and processor of Security token messages. The
scenario is like this.
1. Client contacts the token issuer.
2. STS service gives back the secure token.
3. Client inserts this token into the SOAP security header.
4. Sends this message to the security message processor.
5. Client gets a response back.
Thanks,
Muralidaran Chakravarthy
--
View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361
Sent from the Synapse - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML
messages.
Posted by cmurali <ch...@sddc.army.mil>.
Hi,
This is a show stopper for us to move our web services to QA.
We have configured synapse to perform usernametoken authentication and
forward SOAP request to jboss server. This setup works fine. We are
scheduled to release this within a month and suddenly we were mandated to
use the SAML based security provided by our single-sign-on group. Now this
is a show stopper for us to release. This means that
1. All external clients (simply clients) should first request SAML token
from this single-sign-on webservice.
2. Clients should insert this SAML token into their SOAP message security
header.
3. Clients send this SOAP message to our AXIS2 webservice hosted in Jboss
server mediated by synapse.
4. Synapse/rampart/rahas should be reconfigured to process this SAML token
(instead of usernametoken) to authenticate and allow the request to proceed.
The question is how do we reconfigure synapse/rampart/rahas to process this
SOAP message coming with the SAML token as the security credential.
As I could not find a concrete sample or documentation of how to set up for
SAML authentication, I am stuck and helpless. Could you provide me with the
sample or documentation ASAP please ?
Thanks,
Muralidaran Chakaravarthy
--
View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13384580
Sent from the Synapse - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML
messages.
Posted by cmurali <ch...@sddc.army.mil>.
Hi,
The client is an external client talking to our Synapse. Currently the STS
function is provided by our external single sign on team which will issue
the SAML token. Though our synapse/rampart/rahas configuration should have
to only process the SAML token by authenticating the user and allowing them
to use our web services, I also have to write my client java program that
will get the SAML token from our single sign on web service and then send
the SOAP message with this SAMl token to our web service which is mediated
by synapse.
Thanks,
Muralidaran Chakravarthy
asankha wrote:
>
> Hi Murali
>
> I have forwarded your request to our security expert and will get back
> to you quickly on his reply. Meanwhile, I do not clearly understand if
> you are referring to Synapse as this "client" or is it a custom Java
> client you are talking about?
>
> asankha
>
> cmurali wrote:
>> Hi,
>>
>> I am trying to find a complete example to setup synapse/rampart/rahas for
>> mainly processing SAML messages. I am also looking for sample client code
>> for testing both the producer and processor of Security token messages.
>> The
>> scenario is like this.
>>
>> 1. Client contacts the token issuer.
>> 2. STS service gives back the secure token.
>> 3. Client inserts this token into the SOAP security header.
>> 4. Sends this message to the security message processor.
>> 5. Client gets a response back.
>>
>> Thanks,
>> Muralidaran Chakravarthy
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13363803
Sent from the Synapse - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML messages.
Posted by "Asankha C. Perera" <as...@wso2.com>.
Hi Murali
I have forwarded your request to our security expert and will get back
to you quickly on his reply. Meanwhile, I do not clearly understand if
you are referring to Synapse as this "client" or is it a custom Java
client you are talking about?
asankha
cmurali wrote:
> Hi,
>
> I am trying to find a complete example to setup synapse/rampart/rahas for
> mainly processing SAML messages. I am also looking for sample client code
> for testing both the producer and processor of Security token messages. The
> scenario is like this.
>
> 1. Client contacts the token issuer.
> 2. STS service gives back the secure token.
> 3. Client inserts this token into the SOAP security header.
> 4. Sends this message to the security message processor.
> 5. Client gets a response back.
>
> Thanks,
> Muralidaran Chakravarthy
>
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML
messages.
Posted by cmurali <ch...@sddc.army.mil>.
Hi Ruchith and asankha,
Thanks for your reply. I am yet to get the details from our
single-sign-on/STS group. I guess I will get it in couple of days. I will
contact you with details in couple days.
Thanks again,
Muralidaran Chakravarthy
--
View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13467156
Sent from the Synapse - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML messages.
Posted by "Asankha C. Perera" <as...@wso2.com>.
Hi Muralidaran
Are you going to let your clients request the SAML tokens directly or
use Synapse to receive client requests with User-Id/Password over SSL
and then talk to the STS and get a token and pass the request off to
your end service?
We are all set to cut the 1.1 release branch between today and Sunday,
to get the first RC ready for testing on Monday. If you require any
updates for Synapse to get the above working through Synapse for your
clients, we could get that into a 1.1.1 release.. but for now I do not
consider this as an issue for the 1.1 release
Ruchith is currently traveling and will be in the US for a couple of
weeks and I am not sure if he will look at the Synapse mailing list
during this time. The Apache Rampart mailing list
(mailto:rampart-dev-subscribe@ws.apache.org) would be a better option
for you to ask any direct questions related to Apache Rampart during
this time, and I'm quite sure he will be reading that more frequently.
asankha
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML messages.
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
Apologies about the delay in my response. Please see below :
On 11/2/07, cmurali <ch...@sddc.army.mil> wrote:
>
> Hi Ruchith,
>
> I have answers for some of your questions.
>
> 1. The token issuing service from which I am obtaining the SAML token is a
> standard security token
> service(STS). But I am yet to receive the STS policy from the other group.
>
> 2. Yes, I simply want to include the obtained token in the Security
> header? I do NOT want to encrypt and/or sign the message with a key
> associated with the SAML token.
>
> Here is the scenario given by our other/security group. In this scenarios
> "SAML Token Issuing Service" and "SAML Token Resolver Service" both are
> provided to us by the security group. We are providing the "web service".
> Our web service should do the steps 4, 5 and provide the web service
> function.
>
> 1. Web Service Customer requests SAML authentication token to (SAML Token
> Issuing Service) with User-Id/Password over SSL (w/ WS-Security) - I guess
> this is usernametoken with digest password.
>
> 2. SAML Token Issuing Service issues token or return error message.
>
You can do the above two steps using org.apache.rahas.STSClient and I
will be able to help you when we get hold of the STS policy.
Right now we do not support digest password in the policy
implementation. However IMHO when we use HTTPS we can use a plain text
password with UT and this is useful since most systems do not store
the actual password.
> 3. Web Service Consumer calls web Service passing all necessary parameters
> and SAML token in the request using WS-Security.
>
There are a couple of ways to include the obtained SAML token in the
Security header.
- By creating a wsse:Security header element and adding the token
element into the header. Rampart processing down the line will re-use
this header.
- In the case where the SAML token is expressed in the service policy
as a supporting token: Using the
RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN key to set the token id in
the options object. (Example : [1])
> 4. Application framework of the "web service" requests token validation to
> the "SAML Token Resolver Service" using WS-Security SAML configuration.
>
> 5. "SAML Token Resolver Service" returns message verifying token or error
> message if token is not valid.
>
Right now rampart/rahas does not provide ways to do #4 and #5 ... but
I'd like see whether it is possible to update STSClient to provide
those operations to support your case.
Thanks,
Ruchith
1. http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
> Thanks,
> Muralidaran Chakravarthy
>
>
> Ruchith Fernando wrote:
> >
> > Hi,
> >
> > I have a few questions about your scenario :
> >
> > 1.) Are you obtaining the SAML token from a standard security token
> > service(STS)?
> > 1.1) If so do you have security policy of that STS?
> >
> > 2.) Do you simply want to include the obtained token in the Security
> > header? Or do you want to encrypt and/or sign the message with a key
> > associated with the SAML token?
> >
> > Thanks,
> > Ruchith
> >
> > On 10/25/07, cmurali <ch...@sddc.army.mil> wrote:
> >>
> >> Hi,
> >>
> >> I am new to SAML and don't know the complete process flow.
> >>
> >> I downloaded the wso2wsas-2.1-src.zip and found the sts-sample. But the
> >> documentation (Security Service Token Sample Guide) is in terms of WSO2
> >> WSAS
> >> administration console. Is there any documentation that explains about
> >> the
> >> sts.policy file, service.policy file and axis2.policy file and changes
> >> that
> >> should go in for configuring for SAML?
> >>
> >> I have already configured synapse to perform usernametoken authentication
> >> and forward SOAP request to jboss server. This works fine. Right now we
> >> are
> >> mandated to use the "Token issuing service' provided by another group
> >> called
> >> single-sign-on group. So my job, right now, is to configure my synapse
> >> to
> >> process the SAML token. Processing means validating the token and would I
> >> have to communicate with the token issuing service for validating? If so,
> >> is
> >> there any hook like the rampart PWCBHandler class in which I have to
> >> handle
> >> that?
> >>
> >> Thanks,
> >> Muralidaran Chakravarthy
> >>
> >>
> >> Ruchith Fernando wrote:
> >> >
> >> > Hi,
> >> >
> >> > Can you please have a look at "sts-sample" in WSO2 WSAS [1] This does
> >> > exactly what you need. The client code is available in the sample
> >> > itself and you can see the code here [2] as well.
> >> >
> >> > Thanks,
> >> > Ruchith
> >> >
> >> > 1. http://dist.wso2.org/products/wsas/java/2.1
> >> > 2.
> >> >
> >> http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
> >> >
> >> > On 10/22/07, cmurali <ch...@sddc.army.mil> wrote:
> >> >>
> >> >> Hi,
> >> >>
> >> >> I am trying to find a complete example to setup synapse/rampart/rahas
> >> for
> >> >> mainly processing SAML messages. I am also looking for sample client
> >> code
> >> >> for testing both the producer and processor of Security token
> >> messages.
> >> >> The
> >> >> scenario is like this.
> >> >>
> >> >> 1. Client contacts the token issuer.
> >> >> 2. STS service gives back the secure token.
> >> >> 3. Client inserts this token into the SOAP security header.
> >> >> 4. Sends this message to the security message processor.
> >> >> 5. Client gets a response back.
> >> >>
> >> >> Thanks,
> >> >> Muralidaran Chakravarthy
> >> >> --
> >> >> View this message in context:
> >> >>
> >> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361
> >> >> Sent from the Synapse - Dev mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> >> >> For additional commands, e-mail: synapse-dev-help@ws.apache.org
> >> >>
> >> >>
> >> >
> >> >
> >> > --
> >> > www.ruchith.org
> >> > www.wso2.org
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> >> > For additional commands, e-mail: synapse-dev-help@ws.apache.org
> >> >
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13394155
> >> Sent from the Synapse - Dev mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: synapse-dev-help@ws.apache.org
> >>
> >>
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: synapse-dev-help@ws.apache.org
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13536302
> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>
>
--
http://blog.ruchith.org
http://wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML
messages.
Posted by cmurali <ch...@sddc.army.mil>.
Hi Ruchith,
I have answers for some of your questions.
1. The token issuing service from which I am obtaining the SAML token is a
standard security token
service(STS). But I am yet to receive the STS policy from the other group.
2. Yes, I simply want to include the obtained token in the Security
header? I do NOT want to encrypt and/or sign the message with a key
associated with the SAML token.
Here is the scenario given by our other/security group. In this scenarios
"SAML Token Issuing Service" and "SAML Token Resolver Service" both are
provided to us by the security group. We are providing the "web service".
Our web service should do the steps 4, 5 and provide the web service
function.
1. Web Service Customer requests SAML authentication token to (SAML Token
Issuing Service) with User-Id/Password over SSL (w/ WS-Security) - I guess
this is usernametoken with digest password.
2. SAML Token Issuing Service issues token or return error message.
3. Web Service Consumer calls web Service passing all necessary parameters
and SAML token in the request using WS-Security.
4. Application framework of the "web service" requests token validation to
the "SAML Token Resolver Service" using WS-Security SAML configuration.
5. "SAML Token Resolver Service" returns message verifying token or error
message if token is not valid.
Thanks,
Muralidaran Chakravarthy
Ruchith Fernando wrote:
>
> Hi,
>
> I have a few questions about your scenario :
>
> 1.) Are you obtaining the SAML token from a standard security token
> service(STS)?
> 1.1) If so do you have security policy of that STS?
>
> 2.) Do you simply want to include the obtained token in the Security
> header? Or do you want to encrypt and/or sign the message with a key
> associated with the SAML token?
>
> Thanks,
> Ruchith
>
> On 10/25/07, cmurali <ch...@sddc.army.mil> wrote:
>>
>> Hi,
>>
>> I am new to SAML and don't know the complete process flow.
>>
>> I downloaded the wso2wsas-2.1-src.zip and found the sts-sample. But the
>> documentation (Security Service Token Sample Guide) is in terms of WSO2
>> WSAS
>> administration console. Is there any documentation that explains about
>> the
>> sts.policy file, service.policy file and axis2.policy file and changes
>> that
>> should go in for configuring for SAML?
>>
>> I have already configured synapse to perform usernametoken authentication
>> and forward SOAP request to jboss server. This works fine. Right now we
>> are
>> mandated to use the "Token issuing service' provided by another group
>> called
>> single-sign-on group. So my job, right now, is to configure my synapse
>> to
>> process the SAML token. Processing means validating the token and would I
>> have to communicate with the token issuing service for validating? If so,
>> is
>> there any hook like the rampart PWCBHandler class in which I have to
>> handle
>> that?
>>
>> Thanks,
>> Muralidaran Chakravarthy
>>
>>
>> Ruchith Fernando wrote:
>> >
>> > Hi,
>> >
>> > Can you please have a look at "sts-sample" in WSO2 WSAS [1] This does
>> > exactly what you need. The client code is available in the sample
>> > itself and you can see the code here [2] as well.
>> >
>> > Thanks,
>> > Ruchith
>> >
>> > 1. http://dist.wso2.org/products/wsas/java/2.1
>> > 2.
>> >
>> http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
>> >
>> > On 10/22/07, cmurali <ch...@sddc.army.mil> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I am trying to find a complete example to setup synapse/rampart/rahas
>> for
>> >> mainly processing SAML messages. I am also looking for sample client
>> code
>> >> for testing both the producer and processor of Security token
>> messages.
>> >> The
>> >> scenario is like this.
>> >>
>> >> 1. Client contacts the token issuer.
>> >> 2. STS service gives back the secure token.
>> >> 3. Client inserts this token into the SOAP security header.
>> >> 4. Sends this message to the security message processor.
>> >> 5. Client gets a response back.
>> >>
>> >> Thanks,
>> >> Muralidaran Chakravarthy
>> >> --
>> >> View this message in context:
>> >>
>> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361
>> >> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
>> >> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>> >>
>> >>
>> >
>> >
>> > --
>> > www.ruchith.org
>> > www.wso2.org
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
>> > For additional commands, e-mail: synapse-dev-help@ws.apache.org
>> >
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13394155
>> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>>
>>
>
>
> --
> www.ruchith.org
> www.wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13536302
Sent from the Synapse - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML messages.
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
I have a few questions about your scenario :
1.) Are you obtaining the SAML token from a standard security token
service(STS)?
1.1) If so do you have security policy of that STS?
2.) Do you simply want to include the obtained token in the Security
header? Or do you want to encrypt and/or sign the message with a key
associated with the SAML token?
Thanks,
Ruchith
On 10/25/07, cmurali <ch...@sddc.army.mil> wrote:
>
> Hi,
>
> I am new to SAML and don't know the complete process flow.
>
> I downloaded the wso2wsas-2.1-src.zip and found the sts-sample. But the
> documentation (Security Service Token Sample Guide) is in terms of WSO2 WSAS
> administration console. Is there any documentation that explains about the
> sts.policy file, service.policy file and axis2.policy file and changes that
> should go in for configuring for SAML?
>
> I have already configured synapse to perform usernametoken authentication
> and forward SOAP request to jboss server. This works fine. Right now we are
> mandated to use the "Token issuing service' provided by another group called
> single-sign-on group. So my job, right now, is to configure my synapse to
> process the SAML token. Processing means validating the token and would I
> have to communicate with the token issuing service for validating? If so, is
> there any hook like the rampart PWCBHandler class in which I have to handle
> that?
>
> Thanks,
> Muralidaran Chakravarthy
>
>
> Ruchith Fernando wrote:
> >
> > Hi,
> >
> > Can you please have a look at "sts-sample" in WSO2 WSAS [1] This does
> > exactly what you need. The client code is available in the sample
> > itself and you can see the code here [2] as well.
> >
> > Thanks,
> > Ruchith
> >
> > 1. http://dist.wso2.org/products/wsas/java/2.1
> > 2.
> > http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
> >
> > On 10/22/07, cmurali <ch...@sddc.army.mil> wrote:
> >>
> >> Hi,
> >>
> >> I am trying to find a complete example to setup synapse/rampart/rahas for
> >> mainly processing SAML messages. I am also looking for sample client code
> >> for testing both the producer and processor of Security token messages.
> >> The
> >> scenario is like this.
> >>
> >> 1. Client contacts the token issuer.
> >> 2. STS service gives back the secure token.
> >> 3. Client inserts this token into the SOAP security header.
> >> 4. Sends this message to the security message processor.
> >> 5. Client gets a response back.
> >>
> >> Thanks,
> >> Muralidaran Chakravarthy
> >> --
> >> View this message in context:
> >> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361
> >> Sent from the Synapse - Dev mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: synapse-dev-help@ws.apache.org
> >>
> >>
> >
> >
> > --
> > www.ruchith.org
> > www.wso2.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: synapse-dev-help@ws.apache.org
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13394155
> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML messages.
Posted by "Asankha C. Perera" <as...@wso2.com>.
Hi Murali
Have you been able to progress on this matter? I looked into the STS
sample that ships with WSAS and was looking at the corresponding client
code.. probably its easiest to implement the client side logic in a
custom mediator for your case, and let Rampart handle the rest.. i.e.
your custom mediator would then talk to the STS get the token and then
place at the right place, before your actual call to the service is invoked.
Let us know more details on the STS and other questions Ruchith asked
and if you have got some sample code working with your STS
asankha
cmurali wrote:
> Hi,
>
> I am new to SAML and don't know the complete process flow.
>
> I downloaded the wso2wsas-2.1-src.zip and found the sts-sample. But the
> documentation (Security Service Token Sample Guide) is in terms of WSO2 WSAS
> administration console. Is there any documentation that explains about the
> sts.policy file, service.policy file and axis2.policy file and changes that
> should go in for configuring for SAML?
>
> I have already configured synapse to perform usernametoken authentication
> and forward SOAP request to jboss server. This works fine. Right now we are
> mandated to use the "Token issuing service' provided by another group called
> single-sign-on group. So my job, right now, is to configure my synapse to
> process the SAML token. Processing means validating the token and would I
> have to communicate with the token issuing service for validating? If so, is
> there any hook like the rampart PWCBHandler class in which I have to handle
> that?
>
> Thanks,
> Muralidaran Chakravarthy
>
>
> Ruchith Fernando wrote:
>
>> Hi,
>>
>> Can you please have a look at "sts-sample" in WSO2 WSAS [1] This does
>> exactly what you need. The client code is available in the sample
>> itself and you can see the code here [2] as well.
>>
>> Thanks,
>> Ruchith
>>
>> 1. http://dist.wso2.org/products/wsas/java/2.1
>> 2.
>> http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
>>
>> On 10/22/07, cmurali <ch...@sddc.army.mil> wrote:
>>
>>> Hi,
>>>
>>> I am trying to find a complete example to setup synapse/rampart/rahas for
>>> mainly processing SAML messages. I am also looking for sample client code
>>> for testing both the producer and processor of Security token messages.
>>> The
>>> scenario is like this.
>>>
>>> 1. Client contacts the token issuer.
>>> 2. STS service gives back the secure token.
>>> 3. Client inserts this token into the SOAP security header.
>>> 4. Sends this message to the security message processor.
>>> 5. Client gets a response back.
>>>
>>> Thanks,
>>> Muralidaran Chakravarthy
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361
>>> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>>>
>>>
>>>
>> --
>> www.ruchith.org
>> www.wso2.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>>
>>
>>
>>
>
>
Re: Confugring rampart/Rahas for producing and processing SAML
messages.
Posted by cmurali <ch...@sddc.army.mil>.
Hi,
I am new to SAML and don't know the complete process flow.
I downloaded the wso2wsas-2.1-src.zip and found the sts-sample. But the
documentation (Security Service Token Sample Guide) is in terms of WSO2 WSAS
administration console. Is there any documentation that explains about the
sts.policy file, service.policy file and axis2.policy file and changes that
should go in for configuring for SAML?
I have already configured synapse to perform usernametoken authentication
and forward SOAP request to jboss server. This works fine. Right now we are
mandated to use the "Token issuing service' provided by another group called
single-sign-on group. So my job, right now, is to configure my synapse to
process the SAML token. Processing means validating the token and would I
have to communicate with the token issuing service for validating? If so, is
there any hook like the rampart PWCBHandler class in which I have to handle
that?
Thanks,
Muralidaran Chakravarthy
Ruchith Fernando wrote:
>
> Hi,
>
> Can you please have a look at "sts-sample" in WSO2 WSAS [1] This does
> exactly what you need. The client code is available in the sample
> itself and you can see the code here [2] as well.
>
> Thanks,
> Ruchith
>
> 1. http://dist.wso2.org/products/wsas/java/2.1
> 2.
> http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
>
> On 10/22/07, cmurali <ch...@sddc.army.mil> wrote:
>>
>> Hi,
>>
>> I am trying to find a complete example to setup synapse/rampart/rahas for
>> mainly processing SAML messages. I am also looking for sample client code
>> for testing both the producer and processor of Security token messages.
>> The
>> scenario is like this.
>>
>> 1. Client contacts the token issuer.
>> 2. STS service gives back the secure token.
>> 3. Client inserts this token into the SOAP security header.
>> 4. Sends this message to the security message processor.
>> 5. Client gets a response back.
>>
>> Thanks,
>> Muralidaran Chakravarthy
>> --
>> View this message in context:
>> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361
>> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>>
>>
>
>
> --
> www.ruchith.org
> www.wso2.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13394155
Sent from the Synapse - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org
Re: Confugring rampart/Rahas for producing and processing SAML messages.
Posted by Ruchith Fernando <ru...@gmail.com>.
Hi,
Can you please have a look at "sts-sample" in WSO2 WSAS [1] This does
exactly what you need. The client code is available in the sample
itself and you can see the code here [2] as well.
Thanks,
Ruchith
1. http://dist.wso2.org/products/wsas/java/2.1
2. http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java
On 10/22/07, cmurali <ch...@sddc.army.mil> wrote:
>
> Hi,
>
> I am trying to find a complete example to setup synapse/rampart/rahas for
> mainly processing SAML messages. I am also looking for sample client code
> for testing both the producer and processor of Security token messages. The
> scenario is like this.
>
> 1. Client contacts the token issuer.
> 2. STS service gives back the secure token.
> 3. Client inserts this token into the SOAP security header.
> 4. Sends this message to the security message processor.
> 5. Client gets a response back.
>
> Thanks,
> Muralidaran Chakravarthy
> --
> View this message in context: http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361
> Sent from the Synapse - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: synapse-dev-help@ws.apache.org
>
>
--
www.ruchith.org
www.wso2.org
---------------------------------------------------------------------
To unsubscribe, e-mail: synapse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: synapse-dev-help@ws.apache.org