Bonsoir Jérôme >>> I have to say that I don't understand exactly what you mean. I know SAML but not very well and I honestly did not had time to look carefully to WS-Trust yet. >>> WS-Trust and SAML gives you so many options for authentication and security token transformation. So it really depends on the requirements you have like: - Is it secure enough for users to authenticate using username/password? Or does each user require a certificate? Is it required that the security token attached to the web servcie requests is protected against a man-in-the-middle attack which grabs this token and sends requests on behalf of the other user. Sometimes, it's enough to use HTTPS but in some cases, the service provider wants to proof whether the caller is in the possession of a key which is only known to him (and not to the "man-in-the-middle"). Then, you require SAML Holder-Of-Key (HOK) subject confirmation. - what are the requirements for the communication between the gateway and the target services? Of course, you can't just delegate the SAML HOK token because the intermediary is not in the possession of the secret.
>>> Do you have any documentation that I could use to understand properly your explanation? (if the documentation uses CXF it's even better ;-)). >>> CXF 2.4 will have a lot of new functionality with respect to improved support for SAML and WS-Trust. I'm currently working within a project where we want to solve similar security challenges where it is a requirement that the target service knows the original user. >>> Concerning the STS, should I create one? >>> I'm looking into OpenAM (successor of Sun's OpenSSO) right now. Thanks Oli ________________________________________ Von: Jérôme Revillard [[email protected]] Gesendet: Donnerstag, 7. April 2011 21:19 An: Oliver Wulff Cc: [email protected]; [email protected] Betreff: Re: AW: User credential delegation Bonjour Olivier, Le 07/04/2011 20:53, Oliver Wulff a écrit : > Salut Jérôme > > As I understand your scenario, globus is acting as an intermediary where the > http(s) connection is terminated. Globus does some processing with the > message and must call other services on behalf of the original user which > triggered the call. Am I right? Yes. In fact this is not Globus that needs to call other services on behalf of the original user but one service that was developed with the Globus toolkit framework and that I'm migrating to Apache CXF. But that's basically the same. > If yes, WS-Trust addresses this use case. The intermediary (Globus) can get > issued a security token from the stst on behalf of the original caller. This > means that you could use SAML HOK between the original application and the > intermediary and SAML Bearer (including the original user id) to the target > services. > > Does this make sense to you? I have to say that I don't understand exactly what you mean. I know SAML but not very well and I honestly did not had time to look carefully to WS-Trust yet. Do you have any documentation that I could use to understand properly your explanation? (if the documentation uses CXF it's even better ;-)). Concerning the STS, should I create one? Thanks for your help, Best, Jerome > Thanks > Oli > > ________________________________________ > Von: Daniel Kulp [[email protected]] > Gesendet: Donnerstag, 7. April 2011 19:15 > An: [email protected] > Cc: Jérôme Revillard; [email protected] > Betreff: Re: User credential delegation > > On Monday 04 April 2011 3:29:21 AM Jérôme Revillard wrote: >> Hi Colm, all, >> >> In our platform, the user needs to follow a specific >> authentication.authorization process in order to be able to access all >> the other resources. This process is handle by a specific authentication >> services. It's a bit complex because it needs to talk to many other >> services on behalf of the user identity. So that mean that this service >> needs to have access to the user private/public certificate (a proxy >> certificate with a limited lifetime). >> >> To do so, in our previous implementation, we uses the java Globus >> toolkit: >> http://lists.globus.org/pipermail/gt-user/2011-January/009645.html. I just >> realized that this delegation was part of the >> WS-SecureConversation protocol inside globus. Do you know if I can do >> the same thing with CXF? > You "likely can", but it will likely require a bit of work and I really don't > know enough about how the Globus stuff did it to make suggestions. > > Most likely with WS-SecConv, the first request would include the client certs > that would be required for the authentication. The conversation token would > be generated and returned to the client and used from there. NORMALLY, we > just discard the certs and such from the first request as it's not needed > anymore. However, you could write an intereceptor that would record that > information for use later. Subsequent requests could grab that infromation > associated with the conversation token and use that for auth decisions and > such. > > Dan > > >> Best, >> Jerome >> >> Le 01/04/2011 18:01, Colm O hEigeartaigh a écrit : >>> Hi Jerome, >>> >>> Could you explain in more detail what your use-case entails? >>> >>> Colm. >>> >>> On Fri, Apr 1, 2011 at 4:53 PM, Jérôme Revillard <[email protected]> > wrote: >>>> Dear all, >>>> >>>> Is there a way with CXF to do credential delegation (get the user >>>> private key server side)? Can WS-Trust help for this? >>>> >>>> Best, >>>> Jerome >>>> >>>> -- >>>> ===================================================== >>>> Dr Jérôme Revillard >>>> CTO MAAT France >>>> www.maatg.com >>>> ===================================================== > -- > Daniel Kulp > [email protected] > http://dankulp.com/blog > Talend - http://www.talend.com -- ===================================================== Dr Jérôme Revillard CTO MAAT France www.maatg.com Immeuble Alliance Entree A, 74160 Archamps (France) Mob. 0034 607 700 106 Tel. 0033 450 439 602 Fax. 0033 450 439 601 =====================================================
