You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Ashok Shah <as...@sfu.ca> on 2004/10/15 19:35:05 UTC

WSS4J and SAML

Hello Everybody,

I am trying to use WSS4J to support multiple security mechanisms in our
SOAP based protocol. I have tried using SAML profile in WSS4J but am
confused in which profile to use. 

Here are my requirements : 

I have a client called "A", client has a Local Attribute Authority
called "B", a server called "S" and server's Local Attribute Authority
"Z". 

"A" wants to send a request to "S", but has to go to "B" to get its
Attributes, as SAMLAssertion, which would be signed by "B". "A" gets
those signed attributes from "B" and attaches them into SOAP security
header. "S" gets the request, and has to send the attributes in the SOAP
request header to "Z" to verify the signature as well as the attributes.

I have tried to use the SAMLSigned, SAMLUnsigned etc. profiles, but was
confused in which one to use as i dont know which profile would support
my requirements. If I use SAMLSigned, I need to specify the signature
authorities details in property file which I wont have. Also, it
attaches the signature differently than SignedAttributes.  

Appreciate any help.

Thanks,

Ashok.

Re: WSS4J and SAML

Posted by Rami Jaamour <rj...@parasoft.com>.

David,
What are the weird errors you were getting with the WSS4J xmlsec.jar? I 
tried both v1.1 and v1.2 of xmlsec.jar (in both OpenSAML and WSS4J) but 
I keep getting

org.opensaml.InvalidCryptoException: SAMLSignedObject.verify() failed to 
validate signature value

on Z when I would expect the signature verification to succeed. Could 
there be a reason for this other than the client (A or B) corrupting the 
integrity of the signature?

Thanks,

Rami Jaamour
Software Engineer
Web Services Solutions
Parasoft Corporation

"We Make Software Work"



David Keppler wrote:

> I did about this same thing a few weeks back. From my experience with 
> it, it sounds like you'd want to use SAMLTokenUnsigned action 
> directive for wss4j on both the client and server. Then create 
> instantiations of the org.apache.ws.security.saml.SAMLIssuer class 
> that do the communications with the B and Z servers. Set the 
> org.apache.ws.security.saml.issuerClass properties in the 
> saml.properties files on the client and service to use those two 
> SAMLIssuer derived classes.
>
> Another caveat, if you get weird errors when sending assertions that 
> are signed by B and Z, try using the v1.1 release version of the 
> xmlsec.jar. The one in the wss4j cvs lib directory wouldn't work for me.
>
> -Dave
>
> Ashok Shah wrote:
>
>> Hello Everybody,
>>
>> I am trying to use WSS4J to support multiple security mechanisms in our
>> SOAP based protocol. I have tried using SAML profile in WSS4J but am
>> confused in which profile to use.
>> Here are my requirements :
>> I have a client called "A", client has a Local Attribute Authority
>> called "B", a server called "S" and server's Local Attribute Authority
>> "Z".
>> "A" wants to send a request to "S", but has to go to "B" to get its
>> Attributes, as SAMLAssertion, which would be signed by "B". "A" gets
>> those signed attributes from "B" and attaches them into SOAP security
>> header. "S" gets the request, and has to send the attributes in the SOAP
>> request header to "Z" to verify the signature as well as the attributes.
>>
>> I have tried to use the SAMLSigned, SAMLUnsigned etc. profiles, but was
>> confused in which one to use as i dont know which profile would support
>> my requirements. If I use SAMLSigned, I need to specify the signature
>> authorities details in property file which I wont have. Also, it
>> attaches the signature differently than SignedAttributes. 
>> Appreciate any help.
>>
>> Thanks,
>>
>> Ashok.
>>
>
>

Re: WSS4J and SAML

Posted by David Keppler <dk...@mitre.org>.

I did about this same thing a few weeks back. From my experience with 
it, it sounds like you'd want to use SAMLTokenUnsigned action directive 
for wss4j on both the client and server. Then create instantiations of 
the org.apache.ws.security.saml.SAMLIssuer class that do the 
communications with the B and Z servers. Set the 
org.apache.ws.security.saml.issuerClass properties in the 
saml.properties files on the client and service to use those two 
SAMLIssuer derived classes.

Another caveat, if you get weird errors when sending assertions that are 
signed by B and Z, try using the v1.1 release version of the xmlsec.jar. 
The one in the wss4j cvs lib directory wouldn't work for me.

-Dave

Ashok Shah wrote:
> Hello Everybody,
> 
> I am trying to use WSS4J to support multiple security mechanisms in our
> SOAP based protocol. I have tried using SAML profile in WSS4J but am
> confused in which profile to use. 
> 
> Here are my requirements : 
> 
> I have a client called "A", client has a Local Attribute Authority
> called "B", a server called "S" and server's Local Attribute Authority
> "Z". 
> 
> "A" wants to send a request to "S", but has to go to "B" to get its
> Attributes, as SAMLAssertion, which would be signed by "B". "A" gets
> those signed attributes from "B" and attaches them into SOAP security
> header. "S" gets the request, and has to send the attributes in the SOAP
> request header to "Z" to verify the signature as well as the attributes.
> 
> I have tried to use the SAMLSigned, SAMLUnsigned etc. profiles, but was
> confused in which one to use as i dont know which profile would support
> my requirements. If I use SAMLSigned, I need to specify the signature
> authorities details in property file which I wont have. Also, it
> attaches the signature differently than SignedAttributes.  
> 
> Appreciate any help.
> 
> Thanks,
> 
> Ashok.
>