Hi All,
Can someone confirm whether Rampart supports the WSS SAML Token profile (1.1)?
I am using Apache Synapse to proxy a legacy service; I am building a snapshot
of Synapse that is picking up snapshots of Rampart and WSS4J. The proxy is
secured using an asymmetric binding (X.509) with a SAML assertion passed as a
SignedSupportingToken; the SAML assertion's SubjectConfirmationMethod is
sender-vouches. My understanding of the WSS SAML Token profile is that - for
sender-vouches - the attesting party must protect the SOAP message and the SAML
assertion. However, I find that if I do neither of these things the assertion
is still happily 'validated' by the proxy.
I'm fairly new to Rampart (although I have a good understanding of standards
and their implementation in Metro) so I may be missing something obvious. Also
I may be muddying the water a little through using of Synapse. However, looking
at WSS4J I note that I states explict suppot for the Username and X.509 token
profiles without mentioning SAML.
If anyone can definitively state Ramparts (and WSS4J's) support for the SAML
Token profile that would be a great help.
thanks,
Graeme
