OpenSAML user discussion

["Scott Cantor" <>]

> The "Bindings and Profiles for the OASIS Security Assertion Markup 
> Language (SAML) V1.1" - OASIS standard, 2 September 2003 describes the 
> SAML binding for SOAP within the SOAP Body. I was able to use Apache 
> WSS4J to generate SAML Assertions in the SOAP Header, but it would be 
> nice if I can bind SAML to the SOAP Body as the profile states.  What is 
> the best way to have my Axis/OpenSAML generate them in the SOAP Body 
> based on a request query (in the SOAP Body)? I'm also posting this 
> question to the WSS4J list.

Well, I have a class that already does this for you, and it follows the
letter of the spec in the sense that using arbitrary SOAP features with the
SAML binding is technically not allowed. Thus, I one-offed it, using Axis
would have been silly.

It needs more work, particularly the client end (in Java) and regarding
authentication of the messages.

Since it needs to get more powerful anyway, to deal with SAMLv2, I'd like to
work with somebody using WSS4J to make sure the hooks are there to support
adding headers, etc.

But I believe using a full SOAP stack would be overkill and would be too
much of a dependency. I'd like to simply deal with the body myself but farm
out header processing and transport-based authentication in a modular way.

-- Scott