Do we absolutely need a STS for SAML?

后端 未结 2 1612
走了就别回头了
走了就别回头了 2021-02-15 17:33

I am trying to implement SAML enabled SOAP services for the first time and I have some conceptual questions regarding the role of a Secure Token Service (STS) in a SAML implemen

2条回答
  •  终归单人心
    2021-02-15 18:09

    No, you don't need an STS for SAML tokens in web services. The STS exchanges one token (where 'token' includes things like username+password) for another, so it's useful in that your web service consumer can send some input token (typically username+password or a signature+X.509 cert for simple use cases) to the STS and get back a SAML assertion all ready to go.

    Now, if you have the capability to create SAML tokens that will be accepted by your web service provider, have at it! No STS necessary - the actual SOAP message on the wire is identical whether or not an STS was involved in its creation.

    I wrote a couple of blog entries a few years ago that detail some of this:

    Access Manager 7.1 Beta in Java EE Tools/NetBeans 5.5 Enterprise Pack

    Anatomy of a SAML-Secured SOAP Message

    Sun Access Manager 7.1 has been superseded by OpenAM, but the principles remain the same. In particular, the second entry is independent of any actual product.

提交回复
热议问题