Sorry, getting to this topic a bit late - I was on vacation when the original mail was sent around.
Apache CXF supports claims for both JAX-WS and JAX-RS web services. Essentially what we are talking about is embedding claims about a user in a token of some kind that is sent to a web service endpoint (SAML for JAX-WS, both SAML and JWT for JAX-RS). The token is authenticated via a public key signature, and the endpoint parses the claims and sets up a security context containing the claims. The service implementation can retrieve the security context + parse the claims itself. Or it could use the annotation based approach to requiring claims, as documented here: http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-ClaimsBasedAccessControl . A typical scenario for a JAX-WS endpoint is for the WSDL of the endpoint to request a SAML Token containing a number of claims. The client then goes to a Security Token Service and requests a token containing the given claims. The endpoint then checks (automatically) that the token contains the required claims to access the service. Here is some documentation on how the CXF STS handles this: http://coheigea.blogspot.ie/2012/06/transforming-claims-and-tokens-in-cxf.html Hope this helps, Colm. On Wed, Oct 28, 2015 at 1:09 PM, <[email protected]> wrote: > Kiran, Pierre, Stefan and Sergey - thanks for your helpful input!! > > -----Original Message----- > From: Kiran Ayyagari [mailto:[email protected]] > Sent: Tuesday, October 27, 2015 10:43 PM > To: [email protected] > Subject: Re: Claims based authentication with ApacheDS > > Hi Carlo, > > On Tue, Oct 27, 2015 at 11:16 PM, <[email protected]> wrote: > > > Hi, > > > > We're starting to hear our customers ask for 'claims based > authentication' > > with our product which back end with ApacheDS. > > > the claims can come in many formats, SAML and JWT being two well known > structures > > > I've researched it a bit and it's clearly beyond the goals of an LDAP > > server. > > > yes, indeed > > > My question is, are any of you trying to implement something like > > this? If so, what is the stack you're using? > > > in web-SSO environments the Identity Provider(a.k.a IdP) can do this task > of authenticating users based on the tokens and for this to work a trust > relationship needs to be established between the client app and the IdP > > > What are challenges, benefits, risks? > > > > challenges: 1. need to deal with more than one token format (SAML, JWT > etc) > 2. managing the certificates, though majority of these > are self-signed(no _need_ > for CA signed certs) they still need to be managed > > benefits: more ways to authenticate than simple username and password combo > > I don't see any risks with this approach other than a bit of complexity in > implementing > > Thanks, > > Carlo Accorsi > > > > > > > > > > > > > -- > Kiran Ayyagari > http://keydap.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
