Monday, July 06, 2009

How-to test SAML tokens

SAML tokens are often used with XML and SOAP messages for identity related functions. Typically an XML Gateway, such as Forum Sentry, or an application server such as SAP Application Server consume or generate SAML artifacts for Authentication and Authorization or carrying Attribute information from the sender.

For testing SOA deployments that use SAML tokens, SOAPSonar from Crosscheck Networks provides all the provisions required to dynamically construct and send SAML tokens within a web services invocation. The configuration screen for the SAML tokens that supports both SAML 1.1 and SAML 2.0 provides the flexibility to set:
  1. Issuer

  2. Name Identifier (emailAddress, unspecified, entity, kerberos, persistent, transient, unspecified, X509SubjectName)

  3. Confirmation Method (bearer, holder-of-key, sender-vouches)

  4. Statement Type (Authorization, Authentication, Attribute)

  5. Dynamic Time Stamps, Time-to-Live, Include Not-Before, Include, Not-After

  6. Signatures

Issuing a valid SAML token requires time-related elements that have to be dynamically generated for each request. Timestamps, TTL, Not-Before, Not-After elements and attributes provide a temporal aspect to SAML assertions that have to be properly enforced by the services endpoint (server, or gateway) and have to be fully tested using dynamic tools such as SOAPSonar. It is also recommended that the integrity of the SAML assertion be maintained through signatures on the assertion. This signature has to be properly generated by the client (SOAPSonar for testing) and properly verified by the service endpoint.

A trial enterprise version of SOAPSonar can be downloaded here.

No comments: