My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Saturday, June 20, 2009
« Beverly Hills Cops (and IT) | Main | Cloud Computing Thoughts from Catalyst09... »

As part of the BAE profiling and reference implementation, we have a full test & validation suite.  Our desire has always been to make the barrier to entry for anyone using the test suites to be the minimum it needs to be. As such we focused on creating our test suites using open source tooling so that we could provide a test suite project that an implementer could import into their open source testing tool, point it at their BAE implementation, run it, and get immediate feedback on whether or not their implementation was conformant to the profile.

To that end, we have been using the popular and free soapUI testing tool. Unfortunately, we are running into some limitations in the tool support for SAML 2.0. It would appear that the current soapUI implementation is using the OpenSAML 1.1 implementation and not the current OpenSAML 2.0 which supports SAML v2. In particular, this means that the following functionality that relates to the testing of SAML AttributeRequest/Response are not supported:

  • Ability to digitally sign and validate attribute requests and responses using the enveloped signature method
  • Ability to utilize the <saml:EncryptedID> as a means of carrying the encrypted name identifier
  • Ability to decrypt the <saml:EncryptedAssertion> element sent by the Attribute Authority which contains the encrypted contents of an assertion

This has required us to go thru some gyrations in how we are implementing the test suites, which is making the user experience not as smooth as we would like.

Ideally we would love to continue using soapUI going forward, but we are also on the lookout for other open source tooling that we could utilize for our testing. Suggestions and recommendations from folks who have experienced this issue and have found a resolution would be very much appreciated.

del.icio.us Tags: ,,,,

Technorati Tags: ,,,,
Tags:: Architecture | Security
6/20/2009 8:40 PM Eastern Daylight Time  |  Comments [2]  |  Disclaimer  |  Permalink   
Saturday, June 20, 2009 9:12:09 PM (Eastern Daylight Time, UTC-04:00)
Hi!

SAML 2.0 support is on its way into WSS4j which is the Apache library that soapUI uses for WS-Security and SAML support. As soon as it is released officially we will make this available.. sorry to keep you waiting..

Thanks for your support anyhow!

best regards,

/Ole
eviware.com
Sunday, June 21, 2009 11:22:28 AM (Eastern Daylight Time, UTC-04:00)
Ole -- Good news indeed! Looking forward to it. While I do understand that WSS4j will provide support for SAML assertions within the SOAP header via WS-Security, I hope that soapUI will also provide support at the SAML protocol/message level.

The particular use case we are dealing with is an attribute query & response bound to SOAP. Which requires enveloped digital signature support within the SOAP body, as well as support for encryption/decryption using the EncryptedID and EncryptedAssertion elements.
Anil John
Comments are closed.