New trust features in Metro 1.3
By Jiandong Guo on Jul 03, 2008
A new ws-trust sample is available in Metro, the Web services stack for Glassfish.
This sample illustrates some of the exciting new features and use cases introduced in Metro 1.3, including:
1. Use Issued Saml assertion with SAMLToken policy assertion to authenticate to the service. An independent STS call on the client side with IssuedTokenManager
is required in this case. This shows how to use STS in more general context going beyond the specific IssuedToken policy assertion pattern.
2. Use the WS-Trust validation binding to validate the issued SAML assertion with the STS on the service side.
With these new features, I believe more interesting applications can be built on top of Metro.
Here is a brief description of the message flows in the sample:
1. The client obtains the service WSDL with policy. The policy has a SAMLToken
assertion as a SignedSupportingToken indicating that a SAML assertion is required
to access the service.
2. The client makes a calls to the STS in its SamlCallbackHandler to request for an SAML assertion.
3. The client calls the service with the SAML assertion from the STS.
4. The service calls the STS to validate the SAML assertion in its SamlValidator.