SAML Token Support
beve Sep 14, 2009 3:37 AMJeff Yu and I are working on adding SAML v2.0 support for JBossESB : http://jira.jboss.org/jira/browse/JBESB-2263
We have the following situations regarding authentication:
The calling party has a pre-existing SAML Assertion that is to be validated.
This option is taken care of by JBossSTSLoginModule which is a JAAS Login Module which will call JBossSTS (Security Token Service) to validate an existing SAML Assertion. The SAML Assertion will be extracted prior to calling the service by the client. The client could be an external client using the ServiceInvoker or could be a gateway in the ESB.
Example of JBossSTSLoginModule configuration:
<application-policy name = "jbossesb-saml"> <authentication> <login-module code="org.jboss.soa.esb.services.security.auth.login.JBossSTSLoginModule" flag="required"> <module-option name="serviceName">JBossSTS</module-option> <module-option name="portName">JBossSTSPort</module-option> <module-option name="endpointAddress">http://localhost:8080/jboss-sts/JBossSTS</module-option> <module-option name="username">admin</module-option> <module-option name="password">admin</module-option> </login-module> </authentication> </application-policy>
The calling party does not have a SAML Assertion so one needs to be issued.
The issuing of a SAML Assertion will be performed by an action in the ESB called JBossSTSAction. This actions configuration is very similar to the
configuration of the JBossSTSLoginModule since they both use the WSTrustClient under the covers.
Example configuration of JBossSTSAction:
<action name="issueToken" class="org.jboss.soa.esb.actions.security.JBossSTSAction"> <property name="serviceName" value="JBossSTS"/> <property name="portName" value="JBossSTSPort"/> <property name="endpointAddress" value="http://localhost:8080/jboss-sts/JBossSTS"/> <property name="username" value="admin"/> <property name="password" value="admin"/> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/> <property name="addToEsbMessage" value="false"/> <property name="addToEsbAuthRequest" value="true"/> </action>
The properties 'addToEsbMessage' and 'addToEsbAuthRequest' might need some explaination.
addToEsbMessage means that the SAML Assertion will be set on the ESB Message object using the configuration location. This uses the the PayloadProxy so the normal options are available here. This would be used when you are about to call an external services and need access to the SAML Assertion.
addToEsbAuthRequest means that the SAML Assertion will be added to the ESB AuthenticationRequest. This would be set when your are will be calling other services in the ESB that require a valid SAML Assertion, i.e. that are using the JBossSTSLoginModule.
What still needs to be done is adding the extraction of the SAML Assertions in the gateway(s) and also have the Assertion injected into outgoing SOAP Message Security Headers. Using JAX-WS protocol handlers seem appropriate in this situation but I'll be looking onto this next
Workspace: http://anonsvn.jboss.org/repos/labs/labs/jbossesb/workspace/dbevenius/saml_support/
Quickstart: http://anonsvn.jboss.org/repos/labs/labs/jbossesb/workspace/dbevenius/saml_support/product/samples/quickstarts/security_saml/
Any thoughts or comments are welcome.
Regards,
/Daniel