+1, I think we can go with ThreadLocal first and then see if there any problems.

Thanks
Jeff

"beve" wrote:
Regarding the adding of the SAML Assertion to the outgoing SOAP Security Header, perhaps a better solution would be to have the JBossSTSAction set the SAML Assertion as a ThreadLocal.
This way we could write a a protocol handler for SOAP which could add the SAML Assertion to the out bound SOAP Header.
This would also simplify the STSAction as it would not require the additional 'addToEsb*' options.

What do you think?

Regards,

/Daniel

"beve" wrote:
Jeff Yu and I are working on adding SAML v2.0 support for JBossESB : http://jira.jboss.org/jira/browse/JBESB-2263

We have the following situations regarding authentication:

The calling party has a pre-existing SAML Assertion that is to be validated.
This option is taken care of by JBossSTSLoginModule which is a JAAS Login Module which will call JBossSTS (Security Token Service) to validate an existing SAML Assertion. The SAML Assertion will be extracted prior to calling the service by the client. The client could be an external client using the ServiceInvoker or could be a gateway in the ESB.

Example of JBossSTSLoginModule configuration:

<application-policy name = "jbossesb-saml">
 <authentication>
 <login-module code="org.jboss.soa.esb.services.security.auth.login.JBossSTSLoginModule" flag="required">
 <module-option name="serviceName">JBossSTS</module-option>
 <module-option name="portName">JBossSTSPort</module-option>
 <module-option name="endpointAddress">http://localhost:8080/jboss-sts/JBossSTS</module-option>
 <module-option name="username">admin</module-option>
 <module-option name="password">admin</module-option>
 </login-module>
 </authentication>
</application-policy>

The calling party does not have a SAML Assertion so one needs to be issued.
The issuing of a SAML Assertion will be performed by an action in the ESB called JBossSTSAction. This actions configuration is very similar to the
configuration of the JBossSTSLoginModule since they both use the WSTrustClient under the covers.

Example configuration of JBossSTSAction:

<action name="issueToken" class="org.jboss.soa.esb.actions.security.JBossSTSAction">
 <property name="serviceName" value="JBossSTS"/>
 <property name="portName" value="JBossSTSPort"/>
 <property name="endpointAddress" value="http://localhost:8080/jboss-sts/JBossSTS"/>
 <property name="username" value="admin"/>
 <property name="password" value="admin"/>
 <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
 <property name="addToEsbMessage" value="false"/>
 <property name="addToEsbAuthRequest" value="true"/>
</action>

The properties 'addToEsbMessage' and 'addToEsbAuthRequest' might need some explaination.

addToEsbMessage means that the SAML Assertion will be set on the ESB Message object using the configuration location. This uses the the PayloadProxy so the normal options are available here. This would be used when you are about to call an external services and need access to the SAML Assertion.

addToEsbAuthRequest means that the SAML Assertion will be added to the ESB AuthenticationRequest. This would be set when your are will be calling other services in the ESB that require a valid SAML Assertion, i.e. that are using the JBossSTSLoginModule.

What still needs to be done is adding the extraction of the SAML Assertions in the gateway(s) and also have the Assertion injected into outgoing SOAP Message Security Headers. Using JAX-WS protocol handlers seem appropriate in this situation but I'll be looking onto this next

Workspace: http://anonsvn.jboss.org/repos/labs/labs/jbossesb/workspace/dbevenius/saml_support/
Quickstart: http://anonsvn.jboss.org/repos/labs/labs/jbossesb/workspace/dbevenius/saml_support/product/samples/quickstarts/security_saml/

Any thoughts or comments are welcome.

Regards,

/Daniel

http://anonsvn.jboss.org/repos/jbossidentity/identity-federation/trunk/jboss-identity-fed-api/src/main/java/org/jboss/identity/federation/api/wstrust/WSTrustClient.java

Looking at the signature, the validateToken takes in a dom element representing the saml2 token. So it is already there. Ensure that you parse the token as dom and then feed it to the sts via this api.

Looked at the JBossSTSSecurityHandler class, I'd like to propose that we move this kind of handler to the identity federation codebase, along with WSTrustClient class. As I thought this should be reused by other projecs, not only the ESB. Besides, this sort of class should more belong to JBoss STS more than esb itself.

In regard to the ESB, the JBossSTSAction and JBossSTSLoginModule should be enough.

What do you think?

Thanks
Jeff

You mention SOAPProcessor, but how would this work with EBWS?

You state:

One is for a JBossSTSLoginModule to validate an existing SAML token when a call enters the ESB.

I am just coming to this late and for that I apologise.

"beve" wrote:
The issuing of a SAML Assertion will be performed by an action in the ESB called JBossSTSAction.

"beve" wrote:
I can't really say that this was a technical reason for this. It just seemed appropriate that the LoginModule should only do one thing and that was to validate an existing token from a calling client.

"beve" wrote:
Sorry, I'm not following your suggested solution here. Could you expand on what you mean for this to be handled indirectly with javax.security.