Hi gang,
We are moving to SSO in our N-tiered SOA applications. If all the services were SOAP, I'd be ok with just the WS-Security, WS-Trust, WS-Federation set of protocols. My problem is that many of the services are RESTful (ironic) and those protocols do not address REST services.
What is your advice for SSO protecting the REST services in an N-tiered SOA architecture with the following requirements:
- ideally claims-based identity information available to the REST services
- original user (eg. bootstrap) information must flow through the tiers so that each service can "ActAs" or "OnBehalfOf" the user
- support sequences like:
- WebApp --> REST Svc --> SOAP Svc
- WebApp --> REST Svc1 --> REST Svc2
- WebApp --> SOAP Svc --> REST Svc
- WebApp --> SOAP Svc1 --> SOAP Svc2
- support SSO (and SSOff)
- service/web app platforms:
- ASP.Net and WCF
- Java
- end-user client platforms:
- .Net (WSE 3.0 and WCF)
- flash 10
- java
- javascript and AJAX
Normally I'm good at climbing / bashing my way through walls, but this one's knocked me flat. Hopefully with your help, we can get over this one.
Thanks,
Tyler