Securing Web Service Call using OpenSAML

[Gina Choi]

 

Hi All,

 

I sent following email to OpenSAML user group that I joined last year, but it was returned. I still didn’t figure out relationship between Shibboleth and OpenSAML, but important thing is that I am using OpenSAML to implement Single Sign On for a web application.

 

 

I have implemented Single Sign On using OpenSAML library(SAML2.0) for a web application 'A' which written in Java. I used SP initiated Redirect, Post Bindings. When I implement SSO last year, I received many help from this user group. I really appreciate that. Now, I need to make a web service call to another web application 'B' which is written in .NET. I have Relying Party set up in ADFS for both 'A' and 'B'. I try to get an assertion token for a user from Relying Party 'B' and pass it to web application 'B' when I make a web service call. Is this right approach? If yes, how do I get assertion token for Relying party 'B' on behalf a user in web application 'A'(this is active profile)? Is this Identity Delegation? I try to use OpenSAML library to secure web service call. How should I approach this?

 

 

Thanks in advance.

 

Gina Choi

 

[Cantor, Scott]

> I have Relying Party set
> up in ADFS for both 'A' and 'B'. I try to get an assertion token for a user from
> Relying Party 'B' and pass it to web application 'B' when I make a web service
> call. Is this right approach?

It is an approach. If you decide how you expect to acquire the token, what has to be in it, and have something willing to issue such a token. There are no specs accepted by large numbers of people for any of that.

This is all really not a topic for this list, unfortunately.

> If yes, how do I get assertion token for Relying
> party 'B' on behalf a user in web application 'A'(this is active profile)? Is this
> Identity Delegation?

Sometimes.

> I try to use OpenSAML library to secure web service call.
> How should I approach this?

I don't have a mailing list to suggest, and really I don't think there is one. There is no good guidance I know of for building web services with the user's identity in the security model, except for using passwords or certs. The best I can suggest is that you focus on what MS requires in their toolkits and let that drive what you have to do.

If there's anybody on the list that has used the toolkit to do this sort of thing, maybe they can point you at examples. But those examples are not going to be generically a solution for any particular case, let alone work with .NET/WCF tooling necessarily.

-- Scott

--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net