Issuing SAML tokens from an STS using WSE 3.0
I thought for sure I blogged about this ... man, that means this is like 13 days late ... geez. Well, lucky for you we're not going to pull it off the Web anytime soon. Hopefully you heard about it over on Jason's blog. If you have no idea what I'm talking about, let me introduce you to the SAML STS for WSE 3.0 QuickStart. To download it, just join and login to the workspace - you'll see the link in the Downloads section.
This project is an extension of the Web Service Security guide we released last year. In that guide, there is a brokered authentication design pattern for a Security Token Service (STS). This is a great place to start if you're not familiar with the role of an STS or why you might use one. Unfortunately, we didn't have time to include an implementation pattern for an STS. Well, that's precisely what this project is. Even cooler is the fact that it issues SAML 1.1 tokens. Security Assertion Markup Language (SAML) tokens are an extensible XML token that offer a high degree of interoperability. For example, we interop tested this QuickStart with the SAML token in the December CTP drop of WCF. SAML is also a nice token because it doesn't require the infrastructure that Kerberos and X.509 do and it's capable of much more than the Username token ... specifically, you can sign and encrypt with it too.
I'll drill into the interesting parts of the code in a later post, but before I sign out, I should mention that the ZIP file contains more than just the QuickStart sample code. It also contains the implementation pattern, a design document, and (of course) installation instruction. Check it out ... I think you'll learn a lot.
Comments
- Anonymous
January 31, 2006
Hello Don, Hope you and your family are well.
As this seems to be centered on interoperability, I'm thinking that it may be a good idea (in our WSE P&P ) to list more references to IBM/SUN/MONO links which also show how to play nicely with these technologies.
To me, showing how great it is in a Microsoft only world is great, but large enterprise customers want to see hard examples of this working with their WebSphere and java investments. There is still a great deal of skepticism on true interoperability - despite standards
My .02 - BTW - I think the work you and your team is doing is just amazing - keep it up.
Oh yea - did you hear - it's sunny here in NC!
:-)
...Andrew - Anonymous
February 01, 2006
Hey Andrew,
Yes! That's an excellent point and I couldn't agree more. Of course we have the WS-I BSP Reference Implementation [0] which is interop tested with all interested vendors in the WS-I, but that's not SAML interop testing. I suspect if the uptake is good on this SAML STS work, we will do much more comprehensive interop testing - aside from just WCF :)
Hey, when you get a chance, can you please email me some NC sunshine? We sure could use some. Thanks man!
[0] http://msdn.microsoft.com/practices/guidetype/RefImp/default.aspx?pull=/library/en-us/dnpag2/html/MSWSIBSP.asp - Anonymous
February 01, 2006
Hey Andrew,
Yes! That's an excellent point and I couldn't agree more. Of course we have the WS-I BSP Reference Implementation [0] which is interop tested with all interested vendors in the WS-I, but that's not SAML interop testing. I suspect if the uptake is good on this SAML STS work, we will do much more comprehensive interop testing - aside from just WCF :)
Hey, when you get a chance, can you please email me some NC sunshine? We sure could use some. Thanks man!
[0] http://msdn.microsoft.com/practices/guidetype/RefImp/default.aspx?pull=/library/en-us/dnpag2/html/MSWSIBSP.asp