-
1. Re: SOAP binding protocol in picketlink seam ServiceProvider
marcelkolsteren Sep 29, 2010 4:39 PM (in response to trygvei)You're completely right about the lack of SOAP binding support in the PicketLink Seam module. Another binding that is not supported, by the way, is the HTTP Artifact binding. Just because no one asked for it :-).
The PicketLink Seam module implements two SAMLv2 profiles: the Web Browser SSO Profile and the Single Logout Profile (sections and 4.1 and 4.4 of the SAMLv2 Profiles specification). According to the specification, the Web Browser SSO Profile can only be used with "front channel" bindings: HTTP Redirect, HTTP POST and HTTP Artifact. In the specification of the Single Logout Profile, the SOAP binding is mentioned as an allowed back channel binding, but there is a very strong bias on the front channel bindings there. That bias has to do with the fact that sessions are often maintained with browser cookies, which implies that you need the browser (user agent) to logout the user from all applications.
I wonder what IDP you're using, and where the SOAP binding requirement exactly comes from. I don't see possibilities of implementing that binding, because the specification doesn't describe it (at least not for the sign on part).
So, maybe you're referring to a whole other set of standards/specifications? Maybe WS-Trust or WS-Federation or another WS-* standard? In that case, your question is out of scope for the current PicketLink Seam module. The PicketLink Seam module targets web applications, not web services or web service clients. There are some other parts of PicketLink (not lead by me) that focus more on web services, but they have no explicit Seam support.
-
2. Re: SOAP binding protocol in picketlink seam ServiceProvider
trygvei Sep 29, 2010 7:11 PM (in response to marcelkolsteren)My IDP is referring to the Web Browser SSO Profile and the Single Logout Profile. I haven't tried connecting yet, because my metafiles were missing the SOAP binding for the back-channel SLO. I know that they are using OpenSSO/OpenAM as their IDP software, so I will play around with a local OpenAM install to find out how it is working.
Regarding the SSO profile, it seems like they are implementing the pattern described in lines 490 to 492 in http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, so it seems I'm needing the artifact binding as well :-(
I'm starting to understand that I'm out of luck here ...
Trygve
-
3. Re: SOAP binding protocol in picketlink seam ServiceProvider
marcelkolsteren Sep 30, 2010 12:04 PM (in response to trygvei)I wrote two articles about using PicketLink with OpenSSO based IDP's. Maybe they can help you when testing with OpenAM:
External authentication example using OpenSSO
External authentication example using SSOCircle
OpenSSO itself doesn't require a SOAP back-channel binding, so requiring it has probably been a choice of the organisation that runs your IDP.