SOAP 1.2 and SAML 2.0 Compatibility

Question

We are currently designing the security of a system and planning to use claims based authorisation.

According to this wikipedia article, the SOAP binding is "SAML SOAP Binding (based on SOAP 1.1)"

In our solution we have Java, WCF and ASMX web services, some SOAP 1.1 and some 1.2.

Question is will sending a SAML 2.0 token across the various versions of SOAP and different technologies work? Does SAML require that we use SOAP 1.1?

Answer 1

Yes - The SAML SOAP binding (at least for Web SSO Profile) requires SOAP 1.1 for conformance. Section 3.2.2 "Protocol-Independent Aspects of the SAML SOAP Binding" of the SAML 2.0 Bindings doc notes: "Note this binding only supports the use of SOAP 1.1."

While you can try using newer versions of SOAP, there is no guarantee that you'll be interoperable with other 3rd Party implementations.

--Ian

Answer 2

What is the use case you are going to implement..? In most of the cases you can avoid "SAML SOAP Binding" and use WS-Trust with SAML Token Profile 1.1 - which supports claim based authorization - it does not depend on SOAP version...