Service to support multiple security tokens?

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Niels Flensted-Jensen - 25 Jan 2006 11:51 GMT

I would like to build a service that would use a policy like the one
illustrated below. An example is a Security Token Service, STS, that will
"transform" any one of a range of different identity tokens into a SAML token.

<myPolicy>
<OneOf>
<kerberosSecurity ... />
<usernameForCertificateSecurity ...>
<mutualCertificate10 ... />
....
</OneOf>
</myPolicy>

Is there a way to do this - or is it like I expect, that I must roll my own
assertion that will handle the check for either one of the allowed incoming
tokens?

Thanks,

Niels

Reply to this Message

Pablo Cibraro - 25 Jan 2006 13:20 GMT

Hi Niels,
None of the turn-key scenarios provided by WSE support this.
You can develop a custom security assertion to support this scenario but
remember something, WSE only supports a client credential per actor.
If you are interested, there is a SAML implementation for WSE 3.0 in the
following GDN workspace:

http://practices.gotdotnet.com/projects/saml

Regards,
Pablo Cibraro.
http://weblogs.asp.net/cibrax
http://www.lagash.com

>I would like to build a service that would use a policy like the one
> illustrated below. An example is a Security Token Service, STS, that will
[quoted text clipped - 19 lines]
>
> Niels

Reply to this Message

Niels Flensted-Jensen - 25 Jan 2006 13:57 GMT

Hi Pablo,

Your SAML STS is exactly why I'm asking.

But allow me to expose my ignorance towards, aehh, WS-Addressing(?): Actor
and Action? Is the Actor the equivalent of the ASMX WebServicve and the
Action is the WebMethod?

And are you saying that WSE supports (pr. Actor) only one token at a time,
or one token type at any time? I can live with the first but the latter I
will have to fix.

Thanks,

Niels

> Hi Niels,
> None of the turn-key scenarios provided by WSE support this.
[quoted text clipped - 33 lines]
> >
> > Niels

Reply to this Message

Pablo Cibraro - 26 Jan 2006 13:57 GMT

Hi Niels,
A soap envelope can contain one or more security headers, but each security
header must have an actor. Usually, the soap envelope contains one security
header with the default actor "".
The idea behind the actor in the security header is the following:

1. If you send an envelope with N security header, each one must have a
security actor.
2. You must have N security filters in the service to process those headers.
One filter per actor and each filter is responsible to process its security
header.

If you take a look to the Credentials class in WSE, it is a collection and
accepts an actor as parameter to return the Client and Service credentials.

I am saying that each security header can only contain two tokens, a token
for the client credentials and a token for the service credentials. It
doens't have nothing to do with the token types.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax
http://www.lagash.com

> Hi Pablo,
>
[quoted text clipped - 50 lines]
>> >
>> > Niels

Reply to this Message

Niels Flensted-Jensen - 26 Jan 2006 15:16 GMT

Hi Pablo,

Thanks. Will just have to a little studying before asking more questions ;-)

And for my orignal question on an STS accepting any one of a range of
tokens, I think the WSE 3.0 sample (%ProgramFiles%\Microsoft
WSE\v3.0\Samples\CS\QuickStart\Advanced\CustomSecurityPolicyAssertion)
illustrates how to put together a custom policy (policyChoice) to handle just
that.

Regards,

Niels

> Hi Niels,
> A soap envelope can contain one or more security headers, but each security
[quoted text clipped - 74 lines]
> >> >
> >> > Niels

Reply to this Message

Pablo Cibraro - 26 Jan 2006 16:10 GMT

Yes, you are right.
I didn't know anything about the existence of that sample. It would be
great to configure that policy (policyChoice) in the SAML STS.

Regards,
Pablo.

> Hi Pablo,
>
[quoted text clipped - 109 lines]
>> >> >
>> >> > Niels

Reply to this Message

Service to support multiple security tokens?

Free Magazines