OpenSSO SSOToken to SAML assertion and back

Question

I'm considering securing a whole JEE software platform with OpenAM (prev. Sun OpenSSO). Applications - running on WebLogic AS - would be secured by a JEE Policy Agent and web services with WS-Security SAML Token Profile.

As of my understanding, the SSOTokenManager enables application code to retrieve OpenAM's SSO token. But in order to invoke the SAML protected Web Services, I need to obtain a SAML Assertion from OpenAM. Can anybody tell me how to do so ?

Also, in the Web Service code, I may need to get back a SSO Token from a SAML assertion. Is that possible ?

Answer 1

Hi Edouard,

The SSOToken is an internal OpenAM representation of a users session, whilst a SAML token is an asserted identity with associated information. As such, these are not directly translatable in the way you describe.

In order to obtain a SAML token for use in your web service call, you should look at the STS functionality in OpenAM. The is a standardised service that will authenticate users and then make an assertion about the identity and authentication of the user, represented by a SAML token. This token is then returned to the calling entity (the web service client) who can include this token as per the relevant WS-* standards.

You may also want to look at the OpenAM wss provider or the Metro/WSIT library to assist implementation on the client side.

Answer 2

You should be able to achieve both conversions using OpenSSO's Security Token Service. There is a tutorial for configuring it.