web-servicesauthenticationauthorizationrampartwso2-identity-server

WSO2 Identity Server Access Control based on SAML/XACML


I need to secure a SOAP web service (based on Axis2) with this configuration:

  1. Client tries to consume the service
  2. Client is redirected to an authentication server for authentication
  3. If the client authenticates properly, the Authentication Server gives client a SAML token with his attributes (basically a role)
  4. There is a XACML policy (client can use an operation provided by the web service only if has a proper role) which is evaluated based on the role included in the SAML token.

So I have thought about using WSO2 Identity Server coupled with rampart (I also need WS-Security for encryption and signature). Is it possible to do so? Can you suggest me how?


Solution

  • You can either go with WSO2 IS STS (which is WS-*) or Web Browser SSO of SAML. Depends on the nature of your application (Web browser based or not), you can pick any one of the above methods. You can get user roles from the SAML Response.

    However, if you are using XACML, you do not need to get the user roles over SAML. Simply create a policy in WSO2 IS (with the required role and other conditions). Then create a PEP module to validate service requests. WSO2 IS will get the username and read user roles from LDAP/userstore and do the validation.