I think we will need to engage Alessio (or another member of the WS team) on this. Just as happens with other forms of authentication (like username/pw or SSL based), the security layer of the WS framework needs to be aware of the presence of a SAML assertion in the security headers in order to perform the authentication of the client using this assertion.
How does the authentication happen? Typically the assertion contains a proof-of-possession key that allows the WS framework to ensure that the assertion that has been presented by the caller indeed belongs to him. For example, an assertion can contain the caller's public key. When the caller invokes a web service he can sign the SOAP request using his private key. The WS framework can then use the public key contained in the assertion to verify the signature, establishing the association between caller and assertion.
Alternatively, a trusted party can vouch for the caller. In this scenario, a trusted party invokes a protected service on behalf of a different subject and presents that subject's assertion. The web service itself cannot make the association between subject and assertion - it relies on the trusted party's vouch.
Besides verifying the association between the caller and his assertion, the security layer must also validate the assertion contents - this is where the STS may be used. A WS-Trust validate request can be made to the STS, so it can verify the assertion's digital signature and validity period.
I don't know if our current WS implementation allows for SAML authentication, so we need some input from the WS team on what is already available and what would need to be implemented.
thanks for you feedback!
I've posted a question to the JBossWS Design Forum:
I'll let you know what they say about this and I'll update this post so you can follow it.