Hello, We are interested in opening a SAML endpoint within our mature SOA product offering. As such we have been focusing on the Rahas compoents that are included in Rampart 1.5. I have been running through the policy samples and in particular looking at sample 05.
What I don't understand is how we can inject an end-user's identity into the SAML document. Because we host financial services applications the service needs to be invoked based on the identity of the actual end user sitting at the terminal who originated the request. What we would like to see is the ability to inject arbitrary end user credentials into the SAML attribute assertions created by the STS. Examples of credentials we'd like to use include userid, customerid and role. Our research has led us to search this forum for clues in addition to Rampart/WOS2 websites, the Rampart FAQ's and whatever content is published on the Internet. While much of the documentation we have found is very good (Thilina's howto on SAML 2.0 for example) none of the documents we have found explains how we can accomplish our desired aim of arbitrary injection of end-user credentials into the SAML document. Here is a specific use-case we'd like to be able to accomplish using Axis2/Rampart/Rahas: 1. service client calls STS to obtain a valid SAML assertion. During the call to STS, the end-user's identity is passed into STS. From our perspective it isn't terribly important how the end user's credential is passed assuming there are message integrity and confidential controls that can be placed on the credential data and we aren't required to create X.509 certs for every user in the system (could be many 1000's of users calling services). 2. The STS returns a SAML document containing the end-user's userId that is passed in on step 1. This userid must not be tied to the dn that is contained within the X.509 that is passed in the WSS header of the invocation. It would be more than ok that the call to the STS includes a WSS Username token. The userid in the username token would then be loaded into the SAML document before it is signed and returned to the STS client. 3. The service client then invokes the service provider passing the SAML document in the WSS header of the SOAP envelope. The service provider will validate the SAML document's signature, extract the contents of the userid (or other credential) and then assert that identity onto the thread of execution before passing it on down the chain. So my questions are: Is it possible today to achieve 1-3 using Axis2/Rampart? How do we inject the end user's identity into the SAML document, is there a guide or sample program we can look at that shows us how? Thanks in advance for your consideration on this matter, Shawn McKinney --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
