Sunday, March 13, 2011

[WSS4J 1.6] SAML property changes

A previous blog entry described how WSS4J 1.6 will have support for creating, parsing, signing, verifying, etc. SAML 2 assertions. WSS4J 1.5.x had limited support for creating and signing SAML 1.1 assertions via the default SAMLIssuer implementation, combined with a properties file. These configuration values consisted of:
  • org.apache.ws.security.saml.issuerClass - The SAML Issuer implementation (defaults to "org.apache.ws.security.saml.SAMLIssuerImpl").
  • org.apache.ws.security.saml.issuer.cryptoProp.file - The crypto properties file corresponding to the issuer crypto instance, if the assertion is to be signed.
  • org.apache.ws.security.saml.issuer.key.name - The KeyStore alias for the issuer key.
  • org.apache.ws.security.saml.issuer.key.password - The KeyStore password for the issuer key.
  • org.apache.ws.security.saml.issuer - The issuer name
  • org.apache.ws.security.saml.issuer.sendKeyValue - Whether to send the key value or the X509Certificate. Defaults to: "false".
  • org.apache.ws.security.saml.subjectNameId.name - The Subject DN.
  • org.apache.ws.security.saml.subjectNameId.qualifier - The Subject qualifier.
  • org.apache.ws.security.saml.authenticationMethod - The authentication method (e.g. "password").
  • org.apache.ws.security.saml.confirmationMethod - The confirmation method, either "senderVouches" or "keyHolder".
The configuration tags for WSS4J 1.5.x completely controlled the creation and signing of a SAML 1.1 Assertion, and hence produced only a very limited set of possible assertions.  WSS4J 1.6 takes a different approach, where the configuration tags correspond to the configuration of the issuer, i.e. whether to sign the assertion or not, the issuer name, crypto instance, etc. All instructions about how to create the SAML Assertion itself, are left to a CallbackHandler implementation.

The following configuration tags in WSS4J 1.6 are exactly the same as in WSS4J 1.5.x:
  • org.apache.ws.security.saml.issuerClass - The SAML Issuer implementation (defaults to "org.apache.ws.security.saml.SAMLIssuerImpl").
  • org.apache.ws.security.saml.issuer.cryptoProp.file - The crypto properties file corresponding to the issuer crypto instance, if the assertion is to be signed.
  • org.apache.ws.security.saml.issuer.key.name - The KeyStore alias for the issuer key.
  • org.apache.ws.security.saml.issuer.key.password - The KeyStore password for the issuer key.
  • org.apache.ws.security.saml.issuer - The issuer name
  • org.apache.ws.security.saml.issuer.sendKeyValue - Whether to send the key value or the X509Certificate. Defaults to: "false".
The following configuration tags are new to WSS4J 1.6:
  • org.apache.ws.security.saml.issuer.signAssertion - Whether the SAMLIssuer implementation will sign the assertion or not. Defaults to: "false".
  • org.apache.ws.security.saml.callback - The name of the SAML CallbackHandler implementation used to populate the SAML Assertion.

No comments:

Post a Comment