Hi, Apologies about the delay in my response. Please see below :
On 11/2/07, cmurali <[EMAIL PROTECTED]> wrote: > > Hi Ruchith, > > I have answers for some of your questions. > > 1. The token issuing service from which I am obtaining the SAML token is a > standard security token > service(STS). But I am yet to receive the STS policy from the other group. > > 2. Yes, I simply want to include the obtained token in the Security > header? I do NOT want to encrypt and/or sign the message with a key > associated with the SAML token. > > Here is the scenario given by our other/security group. In this scenarios > "SAML Token Issuing Service" and "SAML Token Resolver Service" both are > provided to us by the security group. We are providing the "web service". > Our web service should do the steps 4, 5 and provide the web service > function. > > 1. Web Service Customer requests SAML authentication token to (SAML Token > Issuing Service) with User-Id/Password over SSL (w/ WS-Security) - I guess > this is usernametoken with digest password. > > 2. SAML Token Issuing Service issues token or return error message. > You can do the above two steps using org.apache.rahas.STSClient and I will be able to help you when we get hold of the STS policy. Right now we do not support digest password in the policy implementation. However IMHO when we use HTTPS we can use a plain text password with UT and this is useful since most systems do not store the actual password. > 3. Web Service Consumer calls web Service passing all necessary parameters > and SAML token in the request using WS-Security. > There are a couple of ways to include the obtained SAML token in the Security header. - By creating a wsse:Security header element and adding the token element into the header. Rampart processing down the line will re-use this header. - In the case where the SAML token is expressed in the service policy as a supporting token: Using the RampartMessageData.KEY_CUSTOM_ISSUED_TOKEN key to set the token id in the options object. (Example : [1]) > 4. Application framework of the "web service" requests token validation to > the "SAML Token Resolver Service" using WS-Security SAML configuration. > > 5. "SAML Token Resolver Service" returns message verifying token or error > message if token is not valid. > Right now rampart/rahas does not provide ways to do #4 and #5 ... but I'd like see whether it is possible to update STSClient to provide those operations to support your case. Thanks, Ruchith 1. http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java > Thanks, > Muralidaran Chakravarthy > > > Ruchith Fernando wrote: > > > > Hi, > > > > I have a few questions about your scenario : > > > > 1.) Are you obtaining the SAML token from a standard security token > > service(STS)? > > 1.1) If so do you have security policy of that STS? > > > > 2.) Do you simply want to include the obtained token in the Security > > header? Or do you want to encrypt and/or sign the message with a key > > associated with the SAML token? > > > > Thanks, > > Ruchith > > > > On 10/25/07, cmurali <[EMAIL PROTECTED]> wrote: > >> > >> Hi, > >> > >> I am new to SAML and don't know the complete process flow. > >> > >> I downloaded the wso2wsas-2.1-src.zip and found the sts-sample. But the > >> documentation (Security Service Token Sample Guide) is in terms of WSO2 > >> WSAS > >> administration console. Is there any documentation that explains about > >> the > >> sts.policy file, service.policy file and axis2.policy file and changes > >> that > >> should go in for configuring for SAML? > >> > >> I have already configured synapse to perform usernametoken authentication > >> and forward SOAP request to jboss server. This works fine. Right now we > >> are > >> mandated to use the "Token issuing service' provided by another group > >> called > >> single-sign-on group. So my job, right now, is to configure my synapse > >> to > >> process the SAML token. Processing means validating the token and would I > >> have to communicate with the token issuing service for validating? If so, > >> is > >> there any hook like the rampart PWCBHandler class in which I have to > >> handle > >> that? > >> > >> Thanks, > >> Muralidaran Chakravarthy > >> > >> > >> Ruchith Fernando wrote: > >> > > >> > Hi, > >> > > >> > Can you please have a look at "sts-sample" in WSO2 WSAS [1] This does > >> > exactly what you need. The client code is available in the sample > >> > itself and you can see the code here [2] as well. > >> > > >> > Thanks, > >> > Ruchith > >> > > >> > 1. http://dist.wso2.org/products/wsas/java/2.1 > >> > 2. > >> > > >> http://wso2.org/repos/wso2/trunk/wsas/java/modules/samples/sts-sample/src/org/wso2/wsas/sample/sts/client/Client.java > >> > > >> > On 10/22/07, cmurali <[EMAIL PROTECTED]> wrote: > >> >> > >> >> Hi, > >> >> > >> >> I am trying to find a complete example to setup synapse/rampart/rahas > >> for > >> >> mainly processing SAML messages. I am also looking for sample client > >> code > >> >> for testing both the producer and processor of Security token > >> messages. > >> >> The > >> >> scenario is like this. > >> >> > >> >> 1. Client contacts the token issuer. > >> >> 2. STS service gives back the secure token. > >> >> 3. Client inserts this token into the SOAP security header. > >> >> 4. Sends this message to the security message processor. > >> >> 5. Client gets a response back. > >> >> > >> >> Thanks, > >> >> Muralidaran Chakravarthy > >> >> -- > >> >> View this message in context: > >> >> > >> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13342361 > >> >> Sent from the Synapse - Dev mailing list archive at Nabble.com. > >> >> > >> >> > >> >> --------------------------------------------------------------------- > >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >> For additional commands, e-mail: [EMAIL PROTECTED] > >> >> > >> >> > >> > > >> > > >> > -- > >> > www.ruchith.org > >> > www.wso2.org > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > For additional commands, e-mail: [EMAIL PROTECTED] > >> > > >> > > >> > > >> > >> -- > >> View this message in context: > >> http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13394155 > >> Sent from the Synapse - Dev mailing list archive at Nabble.com. > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > -- > > www.ruchith.org > > www.wso2.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > View this message in context: > http://www.nabble.com/Confugring-rampart-Rahas-for-producing-and-processing-SAML-messages.-tf4670568.html#a13536302 > Sent from the Synapse - Dev mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- http://blog.ruchith.org http://wso2.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
