European Workshop on Trust & Identity

In cooperation with GeantLogo184x80

EIW 2013 Tue Session 1E

How to use SAML with Web Service (REST and SOAP?)

Convenor: Peter Gietz

- Moonshot
- OAuth2
- WS-Trust STS (Secure token)
- OpenIDConnect (not saml based though, but for solving the same problem space)
- Use SAML with self-service web application on PC, e.g. QR-tag to bootstrap OAuth2 on your phone (Victoriano described pilot project @ University of Malaga)
- SurfNet APIs (on OAuth2 page) integrated SAML into OAuth2


- SAML is for authN and attributes; embedded XACML is not used
- AuthZ is somewhere else (Oauth may be used for that)

Fundametal problem of Webservice is AuthZ

2 Problems:
- who is the user
- what can (s)/he do?

Oauth2 + SAML:
Use saml to do authN for Oauth ("3 legged" scenario)
Example opensource implementations: APIs (
Several other opensource and comertial examples exist

Banks want to build on SAML as it is already there, and because of the opportunity for inter federation. Need to use SAML to be able to federate with other banks. Using View in Bank: Use of ECP is uncertain if an implementation of different authN methods would comply with the standard.
Reply: ECP needs to be profiled, because the authN method cannot not be defined in general. Ubisecure did implement ECP with a Proxy, that translates HTTP-basic authn to ECP

Three solution spaces
- Move SAML stuff to the web service
example: SAML ECP and STS, to an extend Moonshot
- Proxy the SAML authN to something else
e.g. SAML + Oauth2, PKI
- Bootstrap scenario

Additional issue:
Do or do not use webbrowser @mobile client?

Additional Profiling needed. Done in Finland
- Scenario 1 IDP (with ECP support), Backchannel is propriatary (based on part of the radius spec)
PAM ECP exists

Bootstrap scenario
Bootstrap a token with saml or something like it, and use that token on the mobile device (oauth2 or something else)
Either certificate based (e.g with InCert) or bootstrap

Rest based vs SOAP based services:
SOAP is strong in enterprise, and includes business logic which rest cannot do. Buiding mobile to WS-*
SAML STS - but unclear how to hook that into SAML in a staderdized way

Solution scenario:
1) Oauth2 + a bootstrap based on SAML Or stepup scenario

OASIS stuff:
- XACML3 rest profile (JSON representation)
- CloudAuthZ: AuthZ for cloud, esp Roles

Other activities:
- Json for SAML (mostly to get rid of SOAP)