- A thick client, running on a smartphone, will do some sort of handshake with one web server to authenticate the user.
- Once the user is authenticated that server will issue the user a SAML Assertion.
- The client will then use the SAML assertion to authenticate to a different server and will send REST-style requests to invoke services on that server.
- Send the SAML assertion to the server and swap it for a cookie. Your deployment then becomes nothing more than a standard web SSO situation and your application doesn't need to worry about the SAML bits.
- Send the SAML assertion in every request as part of the POST data. This places the responsibility for parsing the SAML assertion into your application logic or something that can see and handle the HTTP POST data stream.
- Send the SAML assertion in every request as an HTTP header. This is a slight variant of #2 that is more similar to SOAP's WS-Security model where the authentication information is separated from the actual input/output parameters of the call.
The assertIdentity() method of an Identity Assertion provider is called every time identity assertion occurs, but the LoginModules may not be called if the Subject is cached. The -Dweblogic.security.identityAssertionTTL flag can be used to affect this behavior (for example, to modify the default TTL of 5 minutes or to disable the cache by setting the flag to -1).And the command line reference fills in some more details:
Wrapping it all upWhen using an Identity Assertion provider (either for an X.509 certificate or some other type of token), Subjects are cached within the server. This greatly enhances performance for servlets and EJB methods with
tags as well as for other places where identity assertion is used but not cached (for example, signing and encrypting XML documents). There might be some cases where this caching violates the desired semantics.
- SAML is cool
- smart devices are pretty cool, but they lack a SOAP stack
- WebLogic's SSPI framework is cool
- the WebLogic engineering team thought of darn near everything