Binding/Validating a SAMLv2 Token with STS

[Tim Williams <wi...@gmail.com>]

So my STS returns a SAML token that I can get as an w3c element.  I'm
wondering how I can bind that token to an outgoing message and then
validate a SAMLv2 token on an incoming service call.  There are
samples of, I think, something similiar using a UserNameToken with
WSS4J(In|Out)Interceptor but I'm not sure what the ACTION and Map
entries would be for a SAML Token and/or if this is the right
approach?  Any help much appreciated...
--tim

Re: Binding/Validating a SAMLv2 Token with STS

[Glen Mazza <gl...@verizon.net>]

We use Apache WSS4J for WS-Security, so you may want to check that
group's mailing list to determine current SAML support.  I think Metro
and possibly Axis2 is ahead of CXF with SAML support, but am unsure.

Glen

2008-06-30 Tim Williams wrote:
> So my STS returns a SAML token that I can get as an w3c element.  I'm
> wondering how I can bind that token to an outgoing message and then
> validate a SAMLv2 token on an incoming service call.  There are
> samples of, I think, something similiar using a UserNameToken with
> WSS4J(In|Out)Interceptor but I'm not sure what the ACTION and Map
> entries would be for a SAML Token and/or if this is the right
> approach?  Any help much appreciated...
> --tim

RE: Binding/Validating a SAMLv2 Token with STS

["Arundel, Donal" <do...@iona.com>]

WSS4J may have some stuff that you can use, but you also could also
handle this directly with JAX-B.
Both are probably some effort though.
I guess that the low level details as to how to do the above are really
probably what you are looking for but maybe some background on the
higher level flow (most of which is token type independent) may be of
some use.

---

After doing your issue request to the STS and extracting the SAML token
from the RSTR then you potentially could develop a simple credentials
model that maintains the "currency" or outbound applicability of this
token credential.

An appropriate out interceptor could be developed that would query this
current credentials interface and then generate the appropriate WSS SAML
token profile data on the way out.

There is a slightly different flow for an initiating client that is
invoking the issue binding as a SSO client Login, and for a target
server that is doing an issueBinding on behalf of a client that has not
previously obtained a SAML SSO token.
e.g. a pure client might wish to use an SSO credential for all outbound
calls, but say for example that non-SAML SSO WS-Security credentials
were received by an intermediate WS-trust enabled target server - then
the SSO credentials might be requested "on behalf" of the initiating
client by the target server. Subsequently the resulting SAML SSO token
could be used for the outbound call to the next tier.

Assuming that a client has done SSO to a Login STS to obtain an unsigned
SAML token, this would then be presented to the target server and 
A target server interceptor could invoke the WS-Trust STS validate
binding to verify it, receiving a validated and potentially transformed
token based on the RST Metadata supplied e.g. requested token type etc.
However for a "signed SAML" scenario the target server may locally be
able to do all required validation without needing to consult the STS.

Cheers,
    Donal




-----Original Message-----
From: Tim Williams [mailto:williamstw@gmail.com] 
Sent: 30 June 2008 21:26
To: users@cxf.apache.org
Subject: Binding/Validating a SAMLv2 Token with STS

So my STS returns a SAML token that I can get as an w3c element.  I'm
wondering how I can bind that token to an outgoing message and then
validate a SAMLv2 token on an incoming service call.  There are
samples of, I think, something similiar using a UserNameToken with
WSS4J(In|Out)Interceptor but I'm not sure what the ACTION and Map
entries would be for a SAML Token and/or if this is the right
approach?  Any help much appreciated...
--tim

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland