We are trying to design a Single Sign On using SAML implementation. Our application uses JBOSS 4.3 server. Based on research JBOSS 4.3 does not support SAML standards. Anyone who has same experienced? What alternative can we used for this scenario.
Related
this is newbie question about identityServer and windows authentication. The samples provided with IdentityServer3 with windows authentication seem to implement it using WSFederation, like the one provided in this link https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/WebHost%20(Windows%20Auth%20All-in-One).
The newest samples with identityserver4 are using a different approach without Federation. Are these approaches equivalent? Are there benefits in one approach over the other.I can understand using Federation for ADFS, but not for Windows authentication with AD. I know I am missing something can't figure it out. What is it? Thanks.
Identity Server 4 is based on .NET Core which currently does not support WS-Federation so if that is a requirement you should stick to Identity Server 3 on the "standard" framework.
According to the devs there's a "test" version out for WS-Fed but if it will be included in the final release of .NET Core 2.0 is still uncertain.
See https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/500
I'm developing a java Security Token Service using the Metro framework in NetBeans 8.0 following this tutorial: https://metro.java.net/2.0.1/guide/Building_custom_STS_.html
I've implemented the STSAttributeProvider interface to provide custom attributes and build up the <AttributeStatement>. In the same manner I would like to add an <AuthenticationStatement> block in the SAML response but I can't seem to find out how to do this. What would be the correct approach?
Thanks!
We have an old JBoss 3.2.3 server which hosted an application and exposed EJBs for remote access.
This application has only received minor maintenance in years, and we did not put some effort to migrate it to newer releases of the app server.
Now, we are integrating it with another application, and we have a requirement to also expose SOAP Web Services.
At first, I wasn't worried, since JBoss 3.2.3 announces compliance with the J2EE 1.4 spec (JSR151), which specifies the APIs for web services: web services (JSR109) and JAXRPC (JSR101).
However, my first deploy using the JAX-RPC api failed, because JBoss did not find the JAX-RPC classes.
So my questions are:
Is JBoss 3.2.3 really a J2EE 1.4 app server ? The lack of JAX-RPC classes seem to indicate otherwise.
What are the APIs for exposing a web services in JBoss 3.2.3 ?
What are the APIs for consuming a web services from an EJB deployed in JBoss 3.2.3 ?
In the end, I can always deploy additional APIs and libraries with my application, but I'd like to avoid overlapping existing libraries.
JBoss 3.2.3.GA is not a fully compliant J2EE 1.4 server. For instance, it does not implement the EJB 2.1 interface, only EJB 2.0 [1].
Also, JBoss 4.0 announces being the first J2EE 1.4 compliant server; I conclude that JBoss.org did not certify JBoss 3.2.3 as compliant.
Even though not-compliant, JBoss 3.2.3 has some features for consuming SOAP Web-Services. For instance, it ships with Apache Axis 1.1 and JAX-RPC apis, so one can easily generate java classes for a WS client outside the server and have them run in an enterprise app.
Exposing web services is a more difficult task. One way of exposing web services is to create a Stateless EJB and expose it as a webservice endpoint. However, that's part of the EJB2.1 spec, which is not available in 3.2.3.
Too bad ! In the end, we will look for other alternatives in exposing our web services.
The newer JavaEE specs and servers are so much easier to develop for. It's the old specs and servers that gave JavaEE a bad rep.
I'm currently assessing ways to impelement authentication&authorzation in a .NET SOA environment(ASP.NET MVC, WCF).
I have concluded that using Windows Identity Foundation with a STS should fullfill our criteria.
I'm having hard time finding any suitable STS to work with WIF other than ADFS. I know there are multiple options, but there is no documentation/experience available how well these play together with WIF.
Summa summarum, multiple questions:
Is this dumb idea?
Is there any STS product that plays together with WIF smoothly? Any resources on this?
Are there products that allows me to implement centralized(yet scalable) authorization(even with XACML support)?
What is your experience using WSO2 Identity Server with ADFS/WIF?
WSO2 Identity Server has some XACML capabilities but how can these be used in authorization with WCF services?
There is Starter STS
http://startersts.codeplex.com/
which has lately been replaced by the IdentityServer:
http://identityserver.codeplex.com/
It's been for a while and has some features ADFS lacks (like the ability to use a MembershipProvider to authenticate users).
Also, crafting your own STS is relatively easy. There are some good tutorials around, I've also written few posts on this:
http://netpl.blogspot.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
WSO2 Identity Server can be integrated with ADFS. Also it can be run as an XACML engine. XACML engine is exposed to out side as a SOAP end point as well as a Thrift end point.
Disclaimer : I am an architect at WSO2.
No experience of WSO2 but if you don't want to use ADFS you'll have no problems with Identity Server. Both ADFS and Identity Server and more commercial products such as Ping Identity play very nicely with WIF.
We are considering spring-ws as the platform for implementing web services that will be deployed on weblogic. We need to use WS-Security with SAML tokens issued by our identity management platform (TFIM).
The Spring-ws documentation for XwsSecurityInterceptor does not mention SAML, and it is not clear to me if would work in this context.
I guess alternatives could be to do our own interceptor which uses OpenSAML or somehow utilises the SAML support in weblogic.
Does anyone have experience with this? Would be nice to aim for a solution that is known to be workable.
Apache WSS4J does support SAML tokens, and Spring-WS comes with a Wss4jSecurityInterceptor, so I'd guess you could get it working out of the box.