You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fx-dev@ws.apache.org by Brian Woo <br...@sjrb.ca> on 2006/04/13 23:55:01 UTC

WSS4J & SAML...

Hi guys,

I have built a webservice with UsernameToken built-in and everything works fine.  Now, I am starting to look at SAML assertions.

Has any of you built a webservice with SAML support?  I have tried to Google that topic but I can't find anything concrete that I can use to build one.  Can someone please provide me some instructions?  If I can set one up, I promise to publish a step-by-step guide on the wss4j website.

I have heard that I would need Sun's Access Manager to generate SAML assertions, is that correct?  Are there any other options?  Is there any binding to tie SAML into wss4j?

A lot of questions... thanks very much for your help,

Brian


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: WSS4J & SAML...

Posted by Mike Smorul <to...@umiacs.umd.edu>.

wss4j handles saml assertions fairly nicely. Make sure you can send 
signed messages using wss4j first. The saml examples in wss4j show how 
to set the appropriate handlers and such.

The only catch that I've found on the server side is that for 
holder-of-key wss4j does not check to make sure the message signing key 
matches the client key embedded in the saml assertion. You'll have to 
extract the assertion from the message context and compare yourself. 
This may have changed since we're using a really old version of wss4j.

For creating your own assertions, look at the opensaml libraries. To use 
  your own assertions, you can override loadSamlIssuer in WSDoAllSender. 
In our setup, we have a seperate web-service in the local trust domain 
that authenticates using UsernameToken and has a call to issue 
assertions to a client given the clients cert. The assertion is used to 
connect to any services that can't directly authenticate.

-Mike
  sorry if it's a little incoherent, it's Friday ;)

Brian Woo wrote:
> Hi guys,
> 
> I have built a webservice with UsernameToken built-in and everything works fine.  Now, I am starting to look at SAML assertions.
> 
> Has any of you built a webservice with SAML support?  I have tried to Google that topic but I can't find anything concrete that I can use to build one.  Can someone please provide me some instructions?  If I can set one up, I promise to publish a step-by-step guide on the wss4j website.
> 
> I have heard that I would need Sun's Access Manager to generate SAML assertions, is that correct?  Are there any other options?  Is there any binding to tie SAML into wss4j?
> 
> A lot of questions... thanks very much for your help,
> 
> Brian
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: WSS4J & SAML...

Posted by Mike Smorul <to...@umiacs.umd.edu>.

wss4j handles saml assertions fairly nicely. Make sure you can send 
signed messages using wss4j first. The saml examples in wss4j show how 
to set the appropriate handlers and such.

The only catch that I've found on the server side is that for 
holder-of-key wss4j does not check to make sure the message signing key 
matches the client key embedded in the saml assertion. You'll have to 
extract the assertion from the message context and compare yourself. 
This may have changed since we're using a really old version of wss4j.

For creating your own assertions, look at the opensaml libraries. To use 
  your own assertions, you can override loadSamlIssuer in WSDoAllSender. 
In our setup, we have a seperate web-service in the local trust domain 
that authenticates using UsernameToken and has a call to issue 
assertions to a client given the clients cert. The assertion is used to 
connect to any services that can't directly authenticate.

-Mike
  sorry if it's a little incoherent, it's Friday ;)

Brian Woo wrote:
> Hi guys,
> 
> I have built a webservice with UsernameToken built-in and everything works fine.  Now, I am starting to look at SAML assertions.
> 
> Has any of you built a webservice with SAML support?  I have tried to Google that topic but I can't find anything concrete that I can use to build one.  Can someone please provide me some instructions?  If I can set one up, I promise to publish a step-by-step guide on the wss4j website.
> 
> I have heard that I would need Sun's Access Manager to generate SAML assertions, is that correct?  Are there any other options?  Is there any binding to tie SAML into wss4j?
> 
> A lot of questions... thanks very much for your help,
> 
> Brian
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org