'Securing Web Services with Single Sign-On ' Posted on TSS


News: 'Securing Web Services with Single Sign-On ' Posted on TSS

  1. This article will introduce the simple scenario where the client gets the authentication token from the SSO service and appends it to the outcoming request. The receiving party can validate the incoming token by calling the SSO service. It will also shown how SAML, the standard format for the security information exchange, can enhance the SSO architecture.

    Read Article Here
  2. SAML seems like a good specification at first read. It's a needed specification. Of course, the spec won't mean much to the average IT guy at an enterprise until applications start showing-up that implement SAML methods.

    I updated my IBM developerWorks article on using Web Services and XML-RPC to do single-sign-on to reference the Server Side article and the Oasis SAML spec. The article is at: http://www-106.ibm.com/developerworks/webservices/library/ws-single/

    -Frank Cohen, www.PushToTest.com
  3. Hi:

    The article is great start for me trying to improve my web services security.

    Question: Can you provide information on how to applied your article to WebLogic 6.2 or beta 7.0.

    Thank You
    David L. Wasler
  4. David,

    The SSO service is the ordinary SOAP web service that can be deployed to any application server that the specific SOAP stack supports. In case of WASP card, it runs on WASP Server that supports all leading J2EE application servers including WebLogic. If you're interested in exact steps how to port WASP Card to WebLogic, please send us an e-mail to tutorial at systinet dot com .

    Hope this is helpful

  5. Dear all,
    I need to implement the SSO for web services-based application.
    I follow this guide but some links don't work.

    Could you re-update the SSO solution for Web service using any Web server such as Systinet, Tomcat...etc

    I am looking forward to hearing from you soon
  6. When implementing a similar single-sign-on on Weblogic Server 6.1 we did the following in a project:
     - Deployed the Authentication-service on a separate instance.
     - Wrote a ServletFilter which handled the authentication of the Client. The filter was deployed in .war-file to filter all requests to protected resources.
     - Wrote a custom security-realm to handle the authorization. The "username"-field was used to pass the authorization-token to the security-realm. Not the best design but it worked. I guess this could have been cleaner if we used JAAS instead.
  7. Spec on Oasis web site
    is on 1.0 "committee draft review" version.

    But what about products implementing this spec ?

    Do U have any feedback on Netgrity JSAML toolkit or
    Systinet WASP Server Advanced and WASP Card ?

    and people who have implemented themselves the SSO solution ... have U tried to follow the SAML standard ?

  8. I was following the tutorial from Systinet at:
    I downloaded and installed wasp_advanced_3.0.3final.zip and the required Wasp_Demo folder mentioned in the article.
    However, I could not located "server.bat" file in C:/wasp_advanced/bin.
    I was wondering if the version has changed wince the tutorial was written.