2 Replies Latest reply on Sep 21, 2009 9:03 AM by beve

    secure web service with saml



      "Daniel" wrote:

      Jeff Yu and I are currently working on supporting SAML in JBossESB and have created the following thread in the ESB design forum:

      What we currently have is the ability to issue a SAML Assertion for JBossSTS, and insert that Assertion into an existing SOAP Security Header.
      The next step is create a web service that is secured and have our SAML Assertion validated by JBossSTS when calling this web service.

      I'm not sure about how to proceed with securing the web service, and configuring support for validating the SAML token with JBossSTS.
      Any pointers to docs or classes would be great!

        • 1. Re: secure web service with saml

          I think we will need to engage Alessio (or another member of the WS team) on this. Just as happens with other forms of authentication (like username/pw or SSL based), the security layer of the WS framework needs to be aware of the presence of a SAML assertion in the security headers in order to perform the authentication of the client using this assertion.

          How does the authentication happen? Typically the assertion contains a proof-of-possession key that allows the WS framework to ensure that the assertion that has been presented by the caller indeed belongs to him. For example, an assertion can contain the caller's public key. When the caller invokes a web service he can sign the SOAP request using his private key. The WS framework can then use the public key contained in the assertion to verify the signature, establishing the association between caller and assertion.

          Alternatively, a trusted party can vouch for the caller. In this scenario, a trusted party invokes a protected service on behalf of a different subject and presents that subject's assertion. The web service itself cannot make the association between subject and assertion - it relies on the trusted party's vouch.

          Besides verifying the association between the caller and his assertion, the security layer must also validate the assertion contents - this is where the STS may be used. A WS-Trust validate request can be made to the STS, so it can verify the assertion's digital signature and validity period.

          I don't know if our current WS implementation allows for SAML authentication, so we need some input from the WS team on what is already available and what would need to be implemented.

          • 2. Re: secure web service with saml

            Hi Stefan,

            thanks for you feedback!
            I've posted a question to the JBossWS Design Forum:
            I'll let you know what they say about this and I'll update this post so you can follow it.