You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Ashok Shah <as...@sfu.ca> on 2004/10/15 19:35:05 UTC
WSS4J and SAML
Hello Everybody,
I am trying to use WSS4J to support multiple security mechanisms in our
SOAP based protocol. I have tried using SAML profile in WSS4J but am
confused in which profile to use.
Here are my requirements :
I have a client called "A", client has a Local Attribute Authority
called "B", a server called "S" and server's Local Attribute Authority
"Z".
"A" wants to send a request to "S", but has to go to "B" to get its
Attributes, as SAMLAssertion, which would be signed by "B". "A" gets
those signed attributes from "B" and attaches them into SOAP security
header. "S" gets the request, and has to send the attributes in the SOAP
request header to "Z" to verify the signature as well as the attributes.
I have tried to use the SAMLSigned, SAMLUnsigned etc. profiles, but was
confused in which one to use as i dont know which profile would support
my requirements. If I use SAMLSigned, I need to specify the signature
authorities details in property file which I wont have. Also, it
attaches the signature differently than SignedAttributes.
Appreciate any help.
Thanks,
Ashok.
Re: WSS4J and SAML
Posted by Rami Jaamour <rj...@parasoft.com>.
David,
What are the weird errors you were getting with the WSS4J xmlsec.jar? I
tried both v1.1 and v1.2 of xmlsec.jar (in both OpenSAML and WSS4J) but
I keep getting
org.opensaml.InvalidCryptoException: SAMLSignedObject.verify() failed to
validate signature value
on Z when I would expect the signature verification to succeed. Could
there be a reason for this other than the client (A or B) corrupting the
integrity of the signature?
Thanks,
Rami Jaamour
Software Engineer
Web Services Solutions
Parasoft Corporation
"We Make Software Work"
David Keppler wrote:
> I did about this same thing a few weeks back. From my experience with
> it, it sounds like you'd want to use SAMLTokenUnsigned action
> directive for wss4j on both the client and server. Then create
> instantiations of the org.apache.ws.security.saml.SAMLIssuer class
> that do the communications with the B and Z servers. Set the
> org.apache.ws.security.saml.issuerClass properties in the
> saml.properties files on the client and service to use those two
> SAMLIssuer derived classes.
>
> Another caveat, if you get weird errors when sending assertions that
> are signed by B and Z, try using the v1.1 release version of the
> xmlsec.jar. The one in the wss4j cvs lib directory wouldn't work for me.
>
> -Dave
>
> Ashok Shah wrote:
>
>> Hello Everybody,
>>
>> I am trying to use WSS4J to support multiple security mechanisms in our
>> SOAP based protocol. I have tried using SAML profile in WSS4J but am
>> confused in which profile to use.
>> Here are my requirements :
>> I have a client called "A", client has a Local Attribute Authority
>> called "B", a server called "S" and server's Local Attribute Authority
>> "Z".
>> "A" wants to send a request to "S", but has to go to "B" to get its
>> Attributes, as SAMLAssertion, which would be signed by "B". "A" gets
>> those signed attributes from "B" and attaches them into SOAP security
>> header. "S" gets the request, and has to send the attributes in the SOAP
>> request header to "Z" to verify the signature as well as the attributes.
>>
>> I have tried to use the SAMLSigned, SAMLUnsigned etc. profiles, but was
>> confused in which one to use as i dont know which profile would support
>> my requirements. If I use SAMLSigned, I need to specify the signature
>> authorities details in property file which I wont have. Also, it
>> attaches the signature differently than SignedAttributes.
>> Appreciate any help.
>>
>> Thanks,
>>
>> Ashok.
>>
>
>
Re: WSS4J and SAML
Posted by David Keppler <dk...@mitre.org>.
I did about this same thing a few weeks back. From my experience with
it, it sounds like you'd want to use SAMLTokenUnsigned action directive
for wss4j on both the client and server. Then create instantiations of
the org.apache.ws.security.saml.SAMLIssuer class that do the
communications with the B and Z servers. Set the
org.apache.ws.security.saml.issuerClass properties in the
saml.properties files on the client and service to use those two
SAMLIssuer derived classes.
Another caveat, if you get weird errors when sending assertions that are
signed by B and Z, try using the v1.1 release version of the xmlsec.jar.
The one in the wss4j cvs lib directory wouldn't work for me.
-Dave
Ashok Shah wrote:
> Hello Everybody,
>
> I am trying to use WSS4J to support multiple security mechanisms in our
> SOAP based protocol. I have tried using SAML profile in WSS4J but am
> confused in which profile to use.
>
> Here are my requirements :
>
> I have a client called "A", client has a Local Attribute Authority
> called "B", a server called "S" and server's Local Attribute Authority
> "Z".
>
> "A" wants to send a request to "S", but has to go to "B" to get its
> Attributes, as SAMLAssertion, which would be signed by "B". "A" gets
> those signed attributes from "B" and attaches them into SOAP security
> header. "S" gets the request, and has to send the attributes in the SOAP
> request header to "Z" to verify the signature as well as the attributes.
>
> I have tried to use the SAMLSigned, SAMLUnsigned etc. profiles, but was
> confused in which one to use as i dont know which profile would support
> my requirements. If I use SAMLSigned, I need to specify the signature
> authorities details in property file which I wont have. Also, it
> attaches the signature differently than SignedAttributes.
>
> Appreciate any help.
>
> Thanks,
>
> Ashok.
>