SAML tokens are often used with XML and SOAP messages for identity related functions. Typically an
XML Gateway, such as
Forum Sentry, or an application server such as
SAP Application Server consume or generate
SAML artifacts for Authentication and Authorization or carrying Attribute information from the sender.
For testing SOA deployments that use SAML tokens,
SOAPSonar from Crosscheck Networks provides all the provisions required to dynamically construct and send SAML tokens within a web services invocation. The configuration screen for the SAML tokens that supports both SAML 1.1 and SAML 2.0 provides the flexibility to set:
- Issuer
- Name Identifier (emailAddress, unspecified, entity, kerberos, persistent, transient, unspecified, X509SubjectName)
- Confirmation Method (bearer, holder-of-key, sender-vouches)
- Statement Type (Authorization, Authentication, Attribute)
- Dynamic Time Stamps, Time-to-Live, Include Not-Before, Include, Not-After
- Signatures
Issuing a valid SAML token requires time-related elements that have to be dynamically generated for each request. Timestamps, TTL, Not-Before, Not-After elements and attributes provide a temporal aspect to SAML assertions that have to be properly enforced by the services endpoint (server, or gateway) and have to be fully tested using dynamic tools such as SOAPSonar. It is also recommended that the integrity of the SAML assertion be maintained through signatures on the assertion. This signature has to be properly generated by the client (SOAPSonar for testing) and properly verified by the service endpoint.
A trial enterprise version of SOAPSonar can be downloaded here.
