I would like to start this discussion thread for this important functionality.
A request is sent to the PicketLink STS to issue a SAMLv2 token. The ws-trust request includes a binary token. The STS will take the binary token and reissue a SAMLv2 token.
The primary use case, I am thinking about is the SPNego binary header. This will be passed from the JBoss Negotiation interception in the web layer to the STS (Via the PL Trust login module). Once the PL STS gets the binary token for SPNego, it works with the Active Directory/Kerberos Domain Controller to get the user details (name, attributes etc). After the user details are gathered, the STS can issue a SAMLv2 assertion.
For the Kerberos/SPNego usecase, the setup will be as follows:
1) The web app is guarded by JBoss Negotiation.
2) The Login Module will be JBWSTokenIssuingLoginModule. It needs to have an option, handlerChain=binary. This installs the BinaryTokenHandler that can be set to pick http header/cookie to send a WS request to the STS. Also the valueType etc can be set on the ws binary request.
3) The STS receives the WS Trust issue request. If there is a wsse binary token available, look at the value type. If it is kerberos, then do the gss magic to get the user details and issue a samv2 assertion.
|Retrieving data ...|