wss4j handles saml assertions fairly nicely. Make sure you can send signed messages using wss4j first. The saml examples in wss4j show how to set the appropriate handlers and such.
The only catch that I've found on the server side is that for holder-of-key wss4j does not check to make sure the message signing key matches the client key embedded in the saml assertion. You'll have to extract the assertion from the message context and compare yourself. This may have changed since we're using a really old version of wss4j.
For creating your own assertions, look at the opensaml libraries. To use your own assertions, you can override loadSamlIssuer in WSDoAllSender. In our setup, we have a seperate web-service in the local trust domain that authenticates using UsernameToken and has a call to issue assertions to a client given the clients cert. The assertion is used to connect to any services that can't directly authenticate.
-Mike sorry if it's a little incoherent, it's Friday ;) Brian Woo wrote:
Hi guys, I have built a webservice with UsernameToken built-in and everything works fine. Now, I am starting to look at SAML assertions. Has any of you built a webservice with SAML support? I have tried to Google that topic but I can't find anything concrete that I can use to build one. Can someone please provide me some instructions? If I can set one up, I promise to publish a step-by-step guide on the wss4j website. I have heard that I would need Sun's Access Manager to generate SAML assertions, is that correct? Are there any other options? Is there any binding to tie SAML into wss4j? A lot of questions... thanks very much for your help, Brian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
