Hi,
I made some progress on this and could confirm that SAML token support
works with OLD WS handlers.
I tried to use combination of 2 i.e. on client side use old WS handler
and on server side use ws-policy, but unfortunately it did not work.
See the attached file containing WSS header request with signed saml
token. As you can see I am trying to use sender-vouches correspondence
method. So client generates this request all okay using old ws handlers,
but on server side it fails over at org.apache.rampart.RampartEngine at
following line where it is trying to find SAMLKeyInfo inside SAML
subject, which is not valid for "sender-vouches" correspondence:
SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(assertion,
signatureCrypto, tokenCallbackHandler);
So my basic questions still remain -
(1) Are saml tokens supported in Rampart with ws-policy as they are with
old WS handlers? [1]
(2) What do I need to do to get ws-policy support for saml tokens? Do I
need to use Rahas??
I will really appreciate if some one from dev team have a look at this
and respond?
Narayan
[1] http://svn.apache.org/repos/asf/webservices/wss4j/trunk/interop
-----Original Message-----
From: Narayan Dhillon [mailto:[EMAIL PROTECTED]
Sent: 08 May 2008 13:01
To: [email protected]
Subject: [Rampart 1.3] : Does Rampart support SAML token profile with
ws-policy?
Hi devs,
I am trying to run the "Scenario #3 - Sender-Vouches: Signed" in below
document, and no SAML assertion being generated in the SOAP request.
http://www.oasis-open.org/committees/download.php/16556/wss-saml2-intero
p-draft-v4.doc
These samples shown to be working with WSS4J in "interop" module,
however it doesn't use WS-Policy. So my question is does Rampart support
this with WS-Policy based handlers?
Also I am not using Rahas, so is it possible to create SAML tokens
without Rahas service being setup?
Any help/pointers on this will be highly appreciated.
Regards, Narayan
*****************************************************
This email is issued by a VocaLink group company. It is confidential and
intended for the exclusive use of the addressee only. You should not
disclose its contents to any other person. If you are not the addressee
(or responsible for delivery of the message to the addressee), please
notify the originator immediately by return message and destroy the
original message. The contents of this email will have no contractual
effect unless it is otherwise agreed between a specific VocaLink group
company and the recipient.
The VocaLink group companies include, among others: VocaLink Limited
(Company No 06119048, VAT No. 907 9619 87) which is registered in
England and Wales at registered office Drake House, Homestead Road,
Rickmansworth, WD3 1FX. United Kingdom, Voca Limited (Company no
1023742, VAT No. 907 9619 87) which is registered in England and Wales
at registered office Drake House, Three Rivers Court, Homestead Road,
Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom, LINK Interchange
Network Limited (Company No 3565766, VAT No. 907 9619 87) which is
registered in England and Wales at registered office Arundel House, 1
Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings
Limited (Company No 06119036, VAT No. 907 9619 87) which is registered
in England and Wales at registered office Drake House, Homestead Road,
Rickmansworth, WD3 1FX. United Kingdom.
The views and opinions expressed in this email may not reflect those of
any member of the VocaLink group. This message and any attachments have
been scanned for viruses prior to leaving the VocaLink group network;
however, VocaLink does not guarantee the security of this message and
will not be responsible for any damages arising as a result of any virus
being passed on or arising from any alteration of this message by a
third party. The VocaLink group may monitor emails sent to and from the
VocaLink group network.
This message has been checked for all email viruses by MessageLabs.
*************************************************************
*****************************************************
This email is issued by a VocaLink group company. It is confidential and
intended for the exclusive use of the addressee only. You should not disclose
its contents to any other person. If you are not the addressee (or responsible
for delivery of the message to the addressee), please notify the originator
immediately by return message and destroy the original message. The contents of
this email will have no contractual effect unless it is otherwise agreed
between a specific VocaLink group company and the recipient.
The VocaLink group companies include, among others: VocaLink Limited (Company
No 06119048, VAT No. 907 9619 87) which is registered in England and Wales at
registered office Drake House, Homestead Road, Rickmansworth, WD3 1FX. United
Kingdom, Voca Limited (Company no 1023742, VAT No. 907 9619 87) which is
registered in England and Wales at registered office Drake House, Three Rivers
Court, Homestead Road, Rickmansworth, Hertfordshire. WD3 1FX. United Kingdom,
LINK Interchange Network Limited (Company No 3565766, VAT No. 907 9619 87)
which is registered in England and Wales at registered office Arundel House, 1
Liverpool Gardens, Worthing, West Sussex, BN11 1SL and VocaLink Holdings
Limited (Company No 06119036, VAT No. 907 9619 87) which is registered in
England and Wales at registered office Drake House, Homestead Road,
Rickmansworth, WD3 1FX. United Kingdom.
The views and opinions expressed in this email may not reflect those of any
member of the VocaLink group. This message and any attachments have been
scanned for viruses prior to leaving the VocaLink group network; however,
VocaLink does not guarantee the security of this message and will not be
responsible for any damages arising as a result of any virus being passed on or
arising from any alteration of this message by a third party. The VocaLink
group may monitor emails sent to and from the VocaLink group network.
This message has been checked for all email viruses by MessageLabs.
*************************************************************
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:axis2ns1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
AssertionID="_e657a7daba1a7d87fc2f61c4e68dee48"
IssueInstant="2008-05-12T15:41:56.088Z" Issuer="www.example.com"
MajorVersion="1" MinorVersion="1">
<AuthenticationStatement
xmlns:axis2ns2="urn:oasis:names:tc:SAML:1.0:assertion"
AuthenticationInstant="2008-05-12T15:41:56.057Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject xmlns:axis2ns3="urn:oasis:names:tc:SAML:1.0:assertion">
<NameIdentifier
xmlns:axis2ns4="urn:oasis:names:tc:SAML:1.0:assertion"
NameQualifier="www.example.com">uid=joe,ou=people,ou=saml-demo,o=example.com</NameIdentifier>
<SubjectConfirmation
xmlns:axis2ns5="urn:oasis:names:tc:SAML:1.0:assertion">
<ConfirmationMethod
xmlns:axis2ns6="urn:oasis:names:tc:SAML:1.0:assertion">urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRSAMLId-13645178">
<wsse:Reference URI="#_e657a7daba1a7d87fc2f61c4e68dee48"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertion-1.1";
/>
</wsse:SecurityTokenReference>
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="CertId-605423">MIIBYjCCAQygAwIBAgIQIWFO9wjTxZJOxcgGtBqGVTANBgkqhkiG9w0BAQQFADAPMQ0wCwYDVQQDEwRkaW1zMB4XDTAzMDUxMjE2NDExN1oXDTM5MTIzMTIzNTk1OVowDzENMAsGA1UEAxMEZGltczBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDrmZ7T2MFQNwloGughSRoapkmvbtPAwBXt+21bFzqfXJ1SpliN6CCRczIflSQCCCyBZ2j0dA51n/ZDWDizdNenAgMBAAGjRDBCMEAGA1UdAQQ5MDeAEBsIiVESxf6DrjkLYXayxmKhETAPMQ0wCwYDVQQDEwRkaW1zghAhYU73CNPFkk7FyAa0GoZVMA0GCSqGSIb3DQEBBAUAA0EAxSGwjZ/FOScVLlVTxic1FKmPd8WTg1DrJFDWuxMTx6n0Zxn4N8ZxkAl7TNx/JcIlG+dlnyWZ0in3dOEtF0g5mA==</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-6868345">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#STRSAMLId-13645178">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";>
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>ks/hZl7gcyogQ2aBNLo2zOROAJY=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-28653851">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>BXUlPy2d2dRddNKqp6bBw3RpQWI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cnUeeO/VY53HeLS33+LAEbLlweUXTwvnP6NlKKFDLR/HXnCHTvwiIneWV1qssdNbHXJHTh1zdfMIPqVrPFzo9g==</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-9594508">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-11737975">
<wsse:Reference URI="#CertId-605423"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-20357537">
<wsu:Created>2008-05-12T15:41:55.463Z</wsu:Created>
<wsu:Expires>2008-05-12T15:46:55.463Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
