3

I'm considering securing a whole Java EE software platform with OpenAM (prev. Sun OpenSSO). Applications - running on WebLogic AS - would be secured by a JEE Policy Agent and web services with WS-Security SAML Token Profile.

As of my understanding, the SSOTokenManager enables application code to retrieve OpenAM's SSO token. But in order to invoke the SAML protected Web Services, I need to obtain a SAML Assertion from OpenAM. Can anybody tell me how to do so ?

Also, in the Web Service code, I may need to get back a SSO Token from a SAML assertion. Is that possible ?

Tatha
  • 1,253
  • 2
  • 24
  • 42
EdouardHue
  • 33
  • 2
  • 5

2 Answers2

3

You should be able to achieve both conversions using OpenSSO's Security Token Service. There is a tutorial for configuring it.

Andrew Strong
  • 4,303
  • 2
  • 24
  • 26
1

The SSOToken is an internal OpenAM representation of a users session, whilst a SAML token is an asserted identity with associated information. As such, these are not directly translatable in the way you describe.

In order to obtain a SAML token for use in your web service call, you should look at the STS functionality in OpenAM. The is a standardised service that will authenticate users and then make an assertion about the identity and authentication of the user, represented by a SAML token. This token is then returned to the calling entity (the web service client) who can include this token as per the relevant WS-* standards.

You may also want to look at the OpenAM wss provider or the Metro/WSIT library to assist implementation on the client side.

Jonathan Scudder
  • 11
  • 1
  • By internal representation, does it imply the SSOToken should not be persisted on / used by the client to ensure single sign on? – Rajesh Batheja Aug 14 '13 at 10:57