Hi Michael, The support for SAML in Rampart is rather weak and if you go with SAML, do not expect much help from it. It uses is internally for the more of a special case of WS-SecureConversation SC token. In addition, in Rampart 1.1 there was a way to create a signed and unsigned SAML tokens but you get the token only in the outbound SOAP and you don't have much control over what goes inside (for example SAML attributes).
I'd definetely recommend SAML as the way to go for tokens in an SSO implementation - it is standard, its been around for a while, its proven, it is signed and it is extensible. In addtion, the SAML 2.0 by it self defines a security "language" rivaling WS-Trust so you can just stay with it, though I prefer WS-Trust based exchanges as more standard and supported way to go. Internet2's OpenSAML libraries are the only mature open source SAML libraries that I know of. Version 1.1 supports SAML 1.0 and 1.1 and version 2 supports all SAML standards. OpenSAML2 is still being developed and even though it is stable for most parts it will change somewhat around some of the more peripherical cases (Encryption is one that comes to mind). Though it does have a steeper learning curve, I'd start with OpenSAML2. Good luck with the SSO implementation. Best Regards, George -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 15, 2007 2:36 PM To: [email protected] Subject: Axis2 and SAML Hi, I'm working on a single-sign-on service for our organization's intranet. The idea an application can send a username, and password and application identifier to the service, and the service responds with a list of permissions that the user has for the particular application. Just to get started, I created a service that returns a string from which I can parse out what I need. But I'm wondering if I could gain anything (such as greater interoperability) by using a standard such as SAML to represent a user and his/her permissions. I see that there is a framework for working with SAML: http://www.opensaml.org/ Does this sound reasonable or am I heading in the wrong direction? Will I end up with a schema nightmare if I return a SAML xml document as a service payload? BTW, I plan on writing the client and server by hand, because later I will probably want to add rampart and have more control over headers and stuff. Thanks Michael Davis --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
