OpenSAML user discussion

["Scott Cantor" <>]

> I have managed to resolve the issues on my end and can assert and validate
a
> SAML2.3 token to the CXF webservice deployed on Websphere 6.1. The issue
> turned out to be more a configuration one with some jars that were on the
> classpath that was probably building a broken DOM. Its a nightmare getting
> to deploy Spring/SAML/CXF on to Websphere 6.1 with the SUN jars in the
mix.

One of the reasons for that is that people don't provide back any
documentation on all the esoteric combinations they get working even though
there's a wiki that anybody can register in and edit.

> That being said, I am now trying to implement a RESTful SAML approach and
> looking for directions

REST has limited support for message-based security models. OAuth's
unrelated portions that are really attempting to fix HTTP security are an
example of one approach, but not one that SAML can adapt to because
assertions don't fit into HTTP headers.

Our (Shibboleth's) approach has been to stick to models based on
session-level security that are consistent with web SSO, posting assertions
to get back a cookie and then relying on the cookie. This happens to be
compatible with existing SP software and allows REST based services to be
secured with the same code as browser facing services, or offer both at
once.

https://spaces.internet2.edu/display/ShibuPortal/Home

-- Scott