How are you doing!
This question is more related to SAML implementation in OSB/SOA.
Here is my scenario
I have a Service Provider which is a simple HelloWorld Service. I've attached oracle/wss10_saml_token_service_policy to it. This is in SAMLServiceDomain
I have another domain SAMLClientDomain, in another machine in which I've created an OSB Service that just calls the Service in Domain 1.
I've applied oracle/wss10_saml_token_service_policy to the Proxy Service and oracle/wss10_saml_token_client_policy to the Business Service. I've created a csf-key(Credential key) which I've used while applying the policy to the Business Service.
When I invoked the Service through Proxy, supplying the csf-key, from OSB Console, it's invoking the actual service, and I got the response.
But I was not expecting this. I haven't established any trust between the two machines yet, but still its working! How?
My Understanding on how SAML works is like this.
The first application, to which credentials are provided, validates against its identity store, in this case SAMLClientDomain, and generates an assertion in which the subject is stored. Now this is sent to the service provider - here SAMLServiceDomain. Now, SAMLServiceDomain validates the SAML token by first checking if the party that sent the token is in its trust store (This is achieved by importing the client certificate to its keystore). Once the client is identified as a trusted party, the subject from the SAML assertion is taken, checked if that user is existing in its identity store, and then actually cater the service.
In this case, I haven't imported the certificate of the client in the server, so no trust established. Then how come its working?
Is my understanding wrong?
This blog(SAML with OWSM in OSB | Atheek&#039;s Blog) tells to establish trust using keystore/certificates.
Does this apply only when message encryption occurs, and in pure pass through, or simple policies like oracle/wss10_saml_token_service_policy, trust is not required?
I'm absolutely new to Security, would you please provide me your wisdom on this.