WebServices security with SAML (SSO) - How to?

lpinto.eu picture lpinto.eu · Sep 12, 2011 · Viewed 9.2k times · Source

The Problem:

I want to implement a set of Webservices, protected with SAML. I need to authenticate the users, and also need to authorize based on the user role. I found some questions similar to this one, but none with satisfactory answers.

The scenario:

  • Java Webapp accessed only using Webservices;
  • SOAP - metro;
  • Clients use some Desktop application that they will develop.

Key features that I need:

  • Free software;
  • SAML 2.0;
  • LDAP(or similar solution) to manage users information;
  • Message level security (SOAP).

The question:

I study some SAML (SSO) solutions (e.g. Shibboleth, opemAM, JOSSO...);

  • Can I use any of those, without compromise any of the key features?
  • Or do I need to implement my own way to handle the SAML tokens?
  • How to do it?

Thank you!



Here are some results that I found, and/or some tips from the answers:

Still searching, please contribute!!

Answer

Prabath Siriwardena picture Prabath Siriwardena · Sep 13, 2011

I am an architect at WSO2. WSO2 produces WSO2 Identity Server supporting all the features you required. You can deploy WSO2 Identity Server over an existing LDAP user store and make it act as an SAML2 IdP. We are using this functionality of Identity Server in our Platform as a Service [PASS] offering - https://stratoslive.wso2.com for SAML2 single sign on.

This is a good starting point and you can download WSO2 Identity Server from here.