3 Replies Latest reply on Sep 30, 2010 12:04 PM by Marcel Kolsteren

    SOAP binding protocol in picketlink seam ServiceProvider

    trygvei Newbie

      My IDP requires usage of the soap binding protocol for  AssertionConsumerService and SingleLogoutService. I can't find any  support for this in picketlink.

      First: Am I right, or did I miss it somewhere?

      If it is missing: Is it any particular reason it isn't here?

      Does anyone have any input on how this should be implemented?

      I have thought of adding it to the MetaDataService, and adding handling of soap in ExternalAuthenticationFilter and SamlMessageReceiver. Does this sound like an approach that should work, or is a more full blown soap-framework needed.?

        • 1. Re: SOAP binding protocol in picketlink seam ServiceProvider
          Marcel Kolsteren Apprentice

          You're completely right about the lack of SOAP binding support in the PicketLink Seam module. Another binding that is not supported, by the way, is the HTTP Artifact binding. Just because no one asked for it :-).

           

          The PicketLink Seam module implements two SAMLv2 profiles: the Web Browser SSO Profile and the Single Logout Profile (sections and 4.1 and 4.4 of the SAMLv2 Profiles specification). According to the specification, the Web Browser SSO Profile can only be used with "front channel" bindings: HTTP Redirect, HTTP POST and HTTP Artifact. In the specification of the Single Logout Profile, the SOAP binding is mentioned as an allowed back channel binding, but there is a very strong bias on the front channel bindings there. That bias has to do with the fact that sessions are often maintained with browser cookies, which implies that you need the browser (user agent) to logout the user from all applications.

           

          I wonder what IDP you're using, and where the SOAP binding requirement exactly comes from. I don't see possibilities of implementing that binding, because the specification doesn't describe it (at least not for the sign on part).

           

          So, maybe you're referring to a whole other set of standards/specifications? Maybe WS-Trust or WS-Federation or another WS-* standard? In that case, your question is out of scope for the current PicketLink Seam module. The PicketLink Seam module targets web applications, not web services or web service clients. There are some other parts of PicketLink (not lead by me) that focus more on web services, but they have no explicit Seam support.

          • 2. Re: SOAP binding protocol in picketlink seam ServiceProvider
            trygvei Newbie

            My IDP is referring to the Web Browser SSO Profile and the Single Logout Profile. I haven't tried connecting yet, because my metafiles were missing the SOAP binding for the back-channel SLO.  I know that they are using OpenSSO/OpenAM as their IDP software, so I will play around with  a local OpenAM install to find out how it is working.

            Regarding the SSO profile, it seems like they are implementing the pattern described in lines 490 to 492 in http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, so it seems I'm needing the artifact binding as well :-(

            I'm starting to understand that I'm out of luck here ...

             

            Trygve

            • 3. Re: SOAP binding protocol in picketlink seam ServiceProvider
              Marcel Kolsteren Apprentice

              I wrote two articles about using PicketLink with OpenSSO based IDP's. Maybe they can help you when testing with OpenAM:

               

              External authentication example using OpenSSO

              External authentication example using SSOCircle

               

              OpenSSO itself doesn't require a SOAP back-channel binding, so requiring it has probably been a choice of the organisation that runs your IDP.