tag:blogger.com,1999:blog-2816919410731663192.post8823487820929661263..comments2024-03-06T05:49:27.264+01:00Comments on Open Source and SOA, ESB and Security: SAML tokens and WS-Trust Security Token Service (STS)Oliver Wulffhttp://www.blogger.com/profile/07294415212532150140noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-2816919410731663192.post-6305409432245720342014-08-31T16:34:14.367+02:002014-08-31T16:34:14.367+02:00Very Informative. Keep posting :)Very Informative. Keep posting :)Anonymoushttps://www.blogger.com/profile/01294939868370213337noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-30265075554590443552013-10-01T08:30:15.536+02:002013-10-01T08:30:15.536+02:00I describe this use case in this post:
http://owul...I describe this use case in this post:<br />http://owulff.blogspot.com/2012/03/saml-sender-vouches-use-case.html<br />where I also provide some rational why I still prefer STS issued tokens except under certain conditions.<br />The usage of the client certificate on the transport level is rarely documented but I've found it here:<br />http://docs.oasis-open.org/ws-sx/security-policy/examples/ws-sp-usecases-examples.htmlOliver Wulffhttps://www.blogger.com/profile/07294415212532150140noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-56679766471171524682013-10-01T07:36:33.963+02:002013-10-01T07:36:33.963+02:00One possible use case of "sender vouches"...One possible use case of "sender vouches" in combination with a STS infrastructure is a centralized Service Bus which uses the STS for security token mediation purposes.<br /><br />Although Bearer would also work, SV removes to need for XML signature validation when the trust between the Service Bus and the service provider is established by Mutual SSL.x6j8xhttps://www.blogger.com/profile/03954597476893503292noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-5795642744570411202013-09-17T17:04:26.193+02:002013-09-17T17:04:26.193+02:00This depends on the underlying SAP web service sta...This depends on the underlying SAP web service stack. Is SAP acting as a web service consumer? Is SAP able to retrieve a token from the STS?Oliver Wulffhttps://www.blogger.com/profile/07294415212532150140noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-8310297203424466032013-07-15T06:50:29.337+02:002013-07-15T06:50:29.337+02:00how to pass the saml token in sap webservice metho...how to pass the saml token in sap webservice method ? Spoof with .NEThttps://www.blogger.com/profile/00027011209492038503noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-52984329916914127942013-03-28T21:39:37.575+01:002013-03-28T21:39:37.575+01:00There are defaults defined in the WS-Trust spec fo...There are defaults defined in the WS-Trust spec for keyType etc. Whether it's ok to not sign the soap message for the target web service depends on its policies (WS-SecurityPolicy).<br /><br />The following OASIS spec defines some interesting use cases:<br />http://docs.oasis-open.org/ws-sx/security-policy/examples/ws-sp-usecases-examples.html<br /><br />Colm describes on his blog how to implement some of the above use cases in CXF:<br />http://coheigea.blogspot.ch/2011/12/ws-securitypolicy-examples-in-apache.htmlOliver Wulffhttps://www.blogger.com/profile/07294415212532150140noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-65333705448916229872013-03-24T19:56:30.340+01:002013-03-24T19:56:30.340+01:00Hi,
Is it necessary to send the keytype and other ...Hi,<br />Is it necessary to send the keytype and other information in the RST message to the STS. <br />Is it ok to send the soap message without the xml signature(without signed by the SAML token got it from the RSTR message).<br /><br />gundurhttps://www.blogger.com/profile/18436602979289248646noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-69892181859650603342012-11-06T08:25:23.030+01:002012-11-06T08:25:23.030+01:00I assume you mean message consumer from a camel po...I assume you mean message consumer from a camel point of view?<br />The Apache CXF Fediz project (http://cxf.apache.org/fediz.html) has got an example "wsclientWebapp" where a secured Web Services is called by a secured Web Application. The request to the Web Services is executed on behalf of the browser user. The STS and SAML plays a key role in this example. You can just replace the JAX-WS implementation by a Camel route using the CXF component.<br />I can also recommend the blog of my colleague Colm:<br />http://coheigea.blogspot.chOliver Wulffhttps://www.blogger.com/profile/07294415212532150140noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-1316156094017774992012-11-05T17:01:05.548+01:002012-11-05T17:01:05.548+01:00have you run across any good learning examples for...have you run across any good learning examples for the server-side (consumer) using Camel and CXF that you can point me to?Peter Berkmanhttps://www.blogger.com/profile/13607703135451230202noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-39158364547269701002012-10-26T17:45:48.568+02:002012-10-26T17:45:48.568+02:00Oliver, thanks very much for taking the time to po...Oliver, thanks very much for taking the time to post this. It's been very useful to me.<br />Kind regards,<br />GuyAnonymoushttps://www.blogger.com/profile/14460350695362355588noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-20885558240812420342012-09-11T21:41:19.022+02:002012-09-11T21:41:19.022+02:00It depends on your requirements. If you only need ...It depends on your requirements. If you only need to know the identity (subject dn of certificate) of the browser user and have got no other requirements like roles, user attributes for your web application, you can get similar functionality for your web application by using mutual SSL handshake. But the certificate is valid quite a long time thus you might need additional authentication on top of it which must be implemented in the application as well.<br />The benefit of introducing an IDP reduces the complexity in all your applications as the whole authentication is externalized to a central component. All user attributes can be provided by the IDP without requiring the applications accessing an identity store to get this information which means you introduce a dependency to it in the application. Imagine what is required to support a new authentication mechanism like two factor authentication. You can implement it once in the IDP and use it in all applications where required or implement this functionality in all required applications and technology stacks (Java, .NET)Oliver Wulffhttps://www.blogger.com/profile/07294415212532150140noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-25460662135030094882012-09-10T16:55:02.914+02:002012-09-10T16:55:02.914+02:00If SSL handshaking is required for HoK (and a clie...If SSL handshaking is required for HoK (and a client-side certificate to establish identity), what is the advantage of using SAML (with all of the overhead of the IdP) over just SSL with client/server-side certificates? It would seem one is setting up a pretty good way to authenticate the service consumer/provider with SSL alone.w2m3, wwmiller3https://www.blogger.com/profile/05892505604737732251noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-78934679848387713772012-07-31T09:49:16.225+02:002012-07-31T09:49:16.225+02:00Not sure I understand your question. The service p...Not sure I understand your question. The service provider and identity provider/STS usually do not communicate with each other as the service consumer should request a token of a trusted IDP/STS of the service provider (defined in WS-SecurityPolicy).<br />There is no communication between the service provider and the IDP/STS because the trust is established based on the signature of the SAML token where only the IDP is in the possession of the private key for signing.Oliver Wulffhttps://www.blogger.com/profile/07294415212532150140noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-3975745713347247392012-07-25T14:10:58.093+02:002012-07-25T14:10:58.093+02:00how service provider and principal(user) in identi...how service provider and principal(user) in identity provider will communicate and how they are identified?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-86840565405150552152012-07-17T22:18:07.125+02:002012-07-17T22:18:07.125+02:00You're right the SAML assertion consumer must ...You're right the SAML assertion consumer must validate the holder-of-key possession if stated in the subject confirmation method.<br />In that case, the service consumer must either sign the request with the matching private key/cert or (for performance reasons) use mutual ssl handshake on the transport level.<br />Both cases are supported by CXF:<br />http://coheigea.blogspot.ch/2011/09/saml-securitypolicy-enforcement-in-cxf.htmlOliver Wulffhttps://www.blogger.com/profile/07294415212532150140noreply@blogger.comtag:blogger.com,1999:blog-2816919410731663192.post-55498918361155954152012-07-16T16:29:42.727+02:002012-07-16T16:29:42.727+02:00Okay, I'm a little confused in the HOK case th...Okay, I'm a little confused in the HOK case that the service consumer need only take the SAML token from the STS and place it in the request to the service provider. Wouldn't the service consumer need to sign something in the SAML token to validate that he was holder of key? Otherwise what's to prevent someone from taking the token and using it somewhere else?Unknownhttps://www.blogger.com/profile/04863910670261271175noreply@blogger.com