Identity Patterns with the WSO2 Identity Server
Accessing a SOAP service secured with WS-Trust from a web app on behalf of the logged-in user (SAML 2.0)
Problem:
Accessing a SOAP service secured with WS-Trust from a web app on behalf of the logged-in user (SAML 2.0)
Problem:
- The business users need to access multiple service providers supporting SAML 2.0 web SSO-based authentication.
- Once the user logs into the web app, the web app needs to access a SOAP service secured with WS-Trust on behalf of the logged in user.
- Deploy WSO2 Identity Server as an identity provider, and register all the service providers (with SAML 2.0 as the inbound authenticator). Further, it will also act as a Security Token Service(STS) based on WS-Trust.
- Deploy the SOAP service in WSO2 App Manager and secure it with WS-Security Policy to accept a SAML token as a supporting token.
- Deploy the web app in the WSO2 App Manager.
- Write a filter and deploy it in the WSO2 App Server, which will accept a SAML token coming from Web SSO flow and build a SOAP message embedding that SAML token.
- Since we are using SAML bearer tokens here, all the communication channels that carry the SAML tokens must be over TLS.
- Once the web app gets the SAML token, it will build a SOAP message with the security headers out of it (embedding the SAML token inside ActAs element of the RST) and talk to the WSO2 Identity Server’s STS endpoint to get a new SAML token to act-as the logged in user, when talking to the secured SOAP service.
- WSO2 App Server will validate the security of the SOAP message. It has to trust the WSO2 Identity Server, who is the token issuer.
- Products: WSO2 Identity Server 3.0.0+, WSO2 Application Server
