You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Raffaele Sgarro <ra...@gmail.com> on 2017/03/16 07:19:13 UTC
How to create SAML assertions
I have this web service that requires SAML assertions:
- Example request: https://hastebin.com/uducuyobuv.xml
- WSDL: https://hastebin.com/yapotuqiqu.wsdl
- XSD: https://hastebin.com/udoworowig.xsd
I put a CallbackHandler in the SecurityConstants.SAML_CALLBACK_HANDLER key
but it is never called.
It seems to me that the security policy does not reference SAML in any way,
so I may need to manually configure CXF. But how?
Re: How to create SAML assertions
Posted by Raffaele Sgarro <ra...@gmail.com>.
The three assertions are definitely created by the client (by me). Can't
understand that layout, but never used SAML before so can't tell if it's
usual or not. I guess the service provider didn't do, either. We are slowly
collaborating on getting the thing done and I hope we can improve the
server part together but ultimately I can't contribute to the broken code.
In the unlikely case it will ever help someone, I'll share here the code I
used to work around this problem by manually adding three SAML assertions
to the SOAP header:
https://gist.github.com/anonymous/c9d609103100146506e7b6d1dd168afe
Il giorno lun 20 mar 2017 alle ore 13:25 Colm O hEigeartaigh <
coheigea@apache.org> ha scritto:
> What I meant was why are there three assertions in the security header
> (and not one)? Are the assertions meant to be created by the client or
> obtained from a third-party service of some kind?
>
> Colm.
>
> On Mon, Mar 20, 2017 at 12:09 PM, Raffaele Sgarro <
> raffaelesgarro@gmail.com> wrote:
>
> Hi Colm,
>
> thanks for your valuable insights. Indeed the WSDL is broken in a number
> of ways but comes from the service provider and I don't think it will be
> fixed anytime soon. I worked around it a number of ways: added a
> ManualSAMLOutInterceptor, enabled the WSAddressing feature, and counting...
>
> Just for curiosity, what do you mean by "The example request contains
> three SAML Assertions. This is also rather unusual...who is supposed to
> be providing these Assertions?"?
>
> Il giorno lun 20 mar 2017 alle ore 12:37 Colm O hEigeartaigh <
> coheigea@apache.org> ha scritto:
>
> The security policy in the WSDL is unusual to say the least. It defines an
> AsymmetricBinding policy, but no SignedParts/EncryptedParts so no security
> is actually applied to the SOAP request. I find it hard to believe that
> this is the desired behaviour?
>
> The example request contains three SAML Assertions. This is also rather
> unusual...who is supposed to be providing these Assertions? The SAML
> CallbackHandler is not called by the way, because there is no SamlToken
> policy in the WSDL.
>
> Colm.
>
> On Thu, Mar 16, 2017 at 7:19 AM, Raffaele Sgarro <raffaelesgarro@gmail.com
> >
> wrote:
>
> > I have this web service that requires SAML assertions:
> >
> > - Example request: https://hastebin.com/uducuyobuv.xml
> > - WSDL: https://hastebin.com/yapotuqiqu.wsdl
> > - XSD: https://hastebin.com/udoworowig.xsd
> >
> > I put a CallbackHandler in the SecurityConstants.SAML_CALLBACK_HANDLER
> key
> > but it is never called.
> >
> > It seems to me that the security policy does not reference SAML in any
> way,
> > so I may need to manually configure CXF. But how?
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: How to create SAML assertions
Posted by Colm O hEigeartaigh <co...@apache.org>.
What I meant was why are there three assertions in the security header (and
not one)? Are the assertions meant to be created by the client or obtained
from a third-party service of some kind?
Colm.
On Mon, Mar 20, 2017 at 12:09 PM, Raffaele Sgarro <ra...@gmail.com>
wrote:
> Hi Colm,
>
> thanks for your valuable insights. Indeed the WSDL is broken in a number
> of ways but comes from the service provider and I don't think it will be
> fixed anytime soon. I worked around it a number of ways: added a
> ManualSAMLOutInterceptor, enabled the WSAddressing feature, and counting...
>
> Just for curiosity, what do you mean by "The example request contains
> three SAML Assertions. This is also rather unusual...who is supposed to
> be providing these Assertions?"?
>
> Il giorno lun 20 mar 2017 alle ore 12:37 Colm O hEigeartaigh <
> coheigea@apache.org> ha scritto:
>
>> The security policy in the WSDL is unusual to say the least. It defines an
>> AsymmetricBinding policy, but no SignedParts/EncryptedParts so no security
>> is actually applied to the SOAP request. I find it hard to believe that
>> this is the desired behaviour?
>>
>> The example request contains three SAML Assertions. This is also rather
>> unusual...who is supposed to be providing these Assertions? The SAML
>> CallbackHandler is not called by the way, because there is no SamlToken
>> policy in the WSDL.
>>
>> Colm.
>>
>> On Thu, Mar 16, 2017 at 7:19 AM, Raffaele Sgarro <
>> raffaelesgarro@gmail.com>
>> wrote:
>>
>> > I have this web service that requires SAML assertions:
>> >
>> > - Example request: https://hastebin.com/uducuyobuv.xml
>> > - WSDL: https://hastebin.com/yapotuqiqu.wsdl
>> > - XSD: https://hastebin.com/udoworowig.xsd
>> >
>> > I put a CallbackHandler in the SecurityConstants.SAML_CALLBACK_HANDLER
>> key
>> > but it is never called.
>> >
>> > It seems to me that the security policy does not reference SAML in any
>> way,
>> > so I may need to manually configure CXF. But how?
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: How to create SAML assertions
Posted by Raffaele Sgarro <ra...@gmail.com>.
Hi Colm,
thanks for your valuable insights. Indeed the WSDL is broken in a number of
ways but comes from the service provider and I don't think it will be fixed
anytime soon. I worked around it a number of ways: added a
ManualSAMLOutInterceptor, enabled the WSAddressing feature, and counting...
Just for curiosity, what do you mean by "The example request contains three
SAML Assertions. This is also rather unusual...who is supposed to be
providing these Assertions?"?
Il giorno lun 20 mar 2017 alle ore 12:37 Colm O hEigeartaigh <
coheigea@apache.org> ha scritto:
> The security policy in the WSDL is unusual to say the least. It defines an
> AsymmetricBinding policy, but no SignedParts/EncryptedParts so no security
> is actually applied to the SOAP request. I find it hard to believe that
> this is the desired behaviour?
>
> The example request contains three SAML Assertions. This is also rather
> unusual...who is supposed to be providing these Assertions? The SAML
> CallbackHandler is not called by the way, because there is no SamlToken
> policy in the WSDL.
>
> Colm.
>
> On Thu, Mar 16, 2017 at 7:19 AM, Raffaele Sgarro <raffaelesgarro@gmail.com
> >
> wrote:
>
> > I have this web service that requires SAML assertions:
> >
> > - Example request: https://hastebin.com/uducuyobuv.xml
> > - WSDL: https://hastebin.com/yapotuqiqu.wsdl
> > - XSD: https://hastebin.com/udoworowig.xsd
> >
> > I put a CallbackHandler in the SecurityConstants.SAML_CALLBACK_HANDLER
> key
> > but it is never called.
> >
> > It seems to me that the security policy does not reference SAML in any
> way,
> > so I may need to manually configure CXF. But how?
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: How to create SAML assertions
Posted by Colm O hEigeartaigh <co...@apache.org>.
The security policy in the WSDL is unusual to say the least. It defines an
AsymmetricBinding policy, but no SignedParts/EncryptedParts so no security
is actually applied to the SOAP request. I find it hard to believe that
this is the desired behaviour?
The example request contains three SAML Assertions. This is also rather
unusual...who is supposed to be providing these Assertions? The SAML
CallbackHandler is not called by the way, because there is no SamlToken
policy in the WSDL.
Colm.
On Thu, Mar 16, 2017 at 7:19 AM, Raffaele Sgarro <ra...@gmail.com>
wrote:
> I have this web service that requires SAML assertions:
>
> - Example request: https://hastebin.com/uducuyobuv.xml
> - WSDL: https://hastebin.com/yapotuqiqu.wsdl
> - XSD: https://hastebin.com/udoworowig.xsd
>
> I put a CallbackHandler in the SecurityConstants.SAML_CALLBACK_HANDLER key
> but it is never called.
>
> It seems to me that the security policy does not reference SAML in any way,
> so I may need to manually configure CXF. But how?
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com