SAML + WSS4J + Axis

[Daniel Amadei <da...@gmail.com>]

Hi All,

I have 2 different apps with lots of (web) services deployed on it.

I'd like to use SAML capabilities on them to be able to authenticate
only once and when I move from app A to app B, I just send a token
which get recognized and I'm considered authenticated.

I gave a look at the samples provided with WSS4J for SAML but I'd like
to know if I should have a SAML capable server wich gets my request
and authenticates it generating a token. If so, can somebody point me
a direction of which server should I get (preferably a free one)?

Thanks a lot
Daniel

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: SAML + WSS4J + Axis

[Mike Smorul <to...@umiacs.umd.edu>]

Our setup involves multiple 'local' servers that are site-specific and 
'remote' services that rely on SAML tokens issued by the local sites 
dictating what permissions users are allowed.

The general workflow for using the services follows.

1. Each remote site has a keypair for signing assertions. Each site also 
has a unique SAML namespace.
2. Every remote service has a copy of each local site public key and the 
corresponding namespace.*
3. A user connects to his local service, presents its public key and 
requests a SAML token.
 - authentication here is just simple user token.
4. Using the opensaml libraries, we create a token w/ the appropriate 
user privilege, sign it and return to the user.
 - There is a standard protocol for requesting and issuing assertions, 
however since this call is part of a larger
   project, we found it was easier to just have a simple requestToken 
that returned the appropriate token.
5. The user uses wss4j, and our own handler that provides a simple way 
to access the keystore and saml token in memory w/o needing to supply a 
full crypto.properties. The deploy wsdd file and saml properties are 
listed below.

deploy.wsdd:
         <requestFlow>
            <handler type="session"/>
            <handler type="java:edu.umiacs.wssec.CachedDoAllSender">
                 <parameter name="action" value="Timestamp 
SAMLTokenSigned"/>
            </handler>
        </requestFlow>
saml.properties:

# wss4j saml issuer properties. This location is specified in the
# transport.deploy.wsdd file used for the Scheduler and Receiver services
org.apache.ws.security.saml.issuerClass=edu.umiacs.wssec.CachedIssuerImpl

6. The client calls the remote service creating a call that is signed 
using it's own keypair and has the saml token embedded in the headers.
7. The remote service does the following to check the call:
  a. wss4j checks handles the crypto part of the call, and basic 
signature checking. Its saml checking is limited to checking for 
existance only.
  b. We extract the saml token and signing key from the wss4j headers
  c. Ensure the public client key in the token and signing key of the 
message match.
  d. Check to make sure the saml namespace and saml token signature are 
in agreement,
  e. Now that we finally trust the assertion, the service checks to make 
sure the assertion authorizes the clients to perform a given action.

Hopefully this helps.

* - To get around the headache of trusted key distribution, we have a 
registry of all remote keys that can be securely distributed to all 
remote services

-Mike

Daniel Amadei wrote:
> Hi All,
>
> I have 2 different apps with lots of (web) services deployed on it.
>
> I'd like to use SAML capabilities on them to be able to authenticate
> only once and when I move from app A to app B, I just send a token
> which get recognized and I'm considered authenticated.
>
> I gave a look at the samples provided with WSS4J for SAML but I'd like
> to know if I should have a SAML capable server wich gets my request
> and authenticates it generating a token. If so, can somebody point me
> a direction of which server should I get (preferably a free one)?
>
> Thanks a lot
> Daniel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: SAML + WSS4J + Axis

[Mike Smorul <to...@umiacs.umd.edu>]

Our setup involves multiple 'local' servers that are site-specific and 
'remote' services that rely on SAML tokens issued by the local sites 
dictating what permissions users are allowed.

The general workflow for using the services follows.

1. Each remote site has a keypair for signing assertions. Each site also 
has a unique SAML namespace.
2. Every remote service has a copy of each local site public key and the 
corresponding namespace.*
3. A user connects to his local service, presents its public key and 
requests a SAML token.
 - authentication here is just simple user token.
4. Using the opensaml libraries, we create a token w/ the appropriate 
user privilege, sign it and return to the user.
 - There is a standard protocol for requesting and issuing assertions, 
however since this call is part of a larger
   project, we found it was easier to just have a simple requestToken 
that returned the appropriate token.
5. The user uses wss4j, and our own handler that provides a simple way 
to access the keystore and saml token in memory w/o needing to supply a 
full crypto.properties. The deploy wsdd file and saml properties are 
listed below.

deploy.wsdd:
         <requestFlow>
            <handler type="session"/>
            <handler type="java:edu.umiacs.wssec.CachedDoAllSender">
                 <parameter name="action" value="Timestamp 
SAMLTokenSigned"/>
            </handler>
        </requestFlow>
saml.properties:

# wss4j saml issuer properties. This location is specified in the
# transport.deploy.wsdd file used for the Scheduler and Receiver services
org.apache.ws.security.saml.issuerClass=edu.umiacs.wssec.CachedIssuerImpl

6. The client calls the remote service creating a call that is signed 
using it's own keypair and has the saml token embedded in the headers.
7. The remote service does the following to check the call:
  a. wss4j checks handles the crypto part of the call, and basic 
signature checking. Its saml checking is limited to checking for 
existance only.
  b. We extract the saml token and signing key from the wss4j headers
  c. Ensure the public client key in the token and signing key of the 
message match.
  d. Check to make sure the saml namespace and saml token signature are 
in agreement,
  e. Now that we finally trust the assertion, the service checks to make 
sure the assertion authorizes the clients to perform a given action.

Hopefully this helps.

* - To get around the headache of trusted key distribution, we have a 
registry of all remote keys that can be securely distributed to all 
remote services

-Mike

Daniel Amadei wrote:
> Hi All,
>
> I have 2 different apps with lots of (web) services deployed on it.
>
> I'd like to use SAML capabilities on them to be able to authenticate
> only once and when I move from app A to app B, I just send a token
> which get recognized and I'm considered authenticated.
>
> I gave a look at the samples provided with WSS4J for SAML but I'd like
> to know if I should have a SAML capable server wich gets my request
> and authenticates it generating a token. If so, can somebody point me
> a direction of which server should I get (preferably a free one)?
>
> Thanks a lot
> Daniel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org