Just to clarify -- SAML doesn't define a SOAP header. It defines a standard XML format to represent authentication and authorization security tokens. It also defines various protocols (including a SOAP protocol) for accessing an authentication or authorization authority to obtain a token -- but in this situation, the tokens are passed in the SOAP body (the token is the focus of the application, so it goes in the payload).
WS-Security specifies standard SOAP headers for passing security tokens, including but not limited to SAML. OASIS is defining additional standard XML security tokens, including XCBF (biometric tokens) and XrML (digital rights). Anne ----- Original Message ----- From: "Saurabh Arora" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 5:10 AM Subject: Re: Newbie question on Usage and design style > It is important to note the SAML is not a proprietary headers (it is > hosted at Oasis http://xml.coverpages.org/saml.html). > > Coming to your question, it is possible to do that using SAAJ api and > Messaging style service. > only problem would be that you would have to handle the processing of > xml internal (can use JAXB). > > Currenlty, Ws-security is working on the direction of putting SAML > assertion inside > soapheader.(http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss) > > > >>> [EMAIL PROTECTED] 6/20/2003 2:01:12 PM >>> > > We are considering of introducing axis based web services, as an > interop > > solution for the interface into our product. We already have well > > established Authentication and Authorisation services delivered via > CORBA, I > > wanted to utilise the same and introduce a concept of a token for > every > > successful user of our web services (still in the conceptualization > phase). > > This smells like SAML. > > > > > Some sites suggested of introducing SOAP Headers in the WSDL. Does > AXIS > > support this feature of a token in the request header. How do I > access it in > > an end point? Is it too much of a demand on web services? > > If your ultimate goal is interoperability, then you'd better steer > clear > from introducing proprietary headers. > > -- > ________________________________________________________________ > Wilfred Springer Phone : +31 (0)3 3451 5736 > Java Architect Mobile : +31 (0)6 2295 7321 > Sun Java Center Fax : +31 (0)3 3451 5734 > Sun Microsystems Netherlands Mail : [EMAIL PROTECTED] >
