WS-Trust and SAML and OAuth, oh my!

Hi, developers – I'm Pat Patterson. I joined Dave, Quinton and the rest of the Platform Developer Evangelism team here at a little over two weeks ago and, since this is my first entry here at the blog, I thought I'd take a few paragraphs to introduce myself…

I describe myself as the 'articulate techie' – one day I'll be hacking Linux kernel driver code, another I'll be presenting a conference session to a thousand or so developers, all the while blogging and tweeting the latest news. Here I'll be blogging all things related to the platform; I also have a personal blog, Superpatterns, where I cover a much wider range of topics. If Twitter is your thing, I'm @metadaddy.

I've been working with Java since the late 90's, when I was at a small startup in London, England. That startup was acquired by Sun Microsystems in 2000, and I spent ten years at Sun in a variety of roles, most notably community lead for OpenSSO – an open source project based on Sun's web access management product.

With the Oracle acquisition looming, I moved to Huawei, a major supplier of equipment to the telco industry – everything from handsets to the big switch that routes calls for tens of millions of subscribers – to work on cloud storage infrastructure. Fascinating stuff, but very much heads down engineering, without much of an opportunity to interact with a wider community.

Now I'm here at as a developer evangelist, gearing up for my first Dreamforce and the very first Cloudstock!

So, back to the purpose of this post – earlier this week, I spent a couple of days at the Internet Identity Workshop, a biannual 'unconference' that hosts a loose, industry-wide community working in digital identity. One of the highlights of the workshop was the collection of demos, showing products and proofs of concept at the very bleeding edge of the field, including an integration of a mobile client app with, demonstrated by Brian Campbell, Principal Software Architect with Ping Identity.

We've shown this kind of use case before, most recently in the REST API Developer Preview Webinar, but this demo had a twist – the username and password were verified not by, but by PingFederate in the user's own enterprise. The flow goes like this:

IIW Demo Diagram

  1. Mobile app accepts the username and password, and submits them to PingFederate in a WS-Trust request.
  2. PingFederate validates the user credentials, creates a SAML assertion and submits that to in an OAuth 2.0 request.
  3. validates the SAML assertion and responds to PingFederate with an OAuth access token.
  4. PingFederate in turn replies to the Android app with a WS-Trust response containing the access token.
  5. The Android app uses the access token to invoke the REST API.

A great example of leveraging the available protocols to create a smooth user experience! Chuck Mortimore,'s Director of Product Management for Identity and Security, will be presenting Single Sign-On and Federation with Salesforce at Dreamforce, focusing on our recent work in this area, including a demo that goes one step further than the above in providing a completely seamless user experience. Chuck's session is currently scheduled for Tuesday, December 7th at 5:15 PM – be there, or miss out!

tagged Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • Anonymous

    OK, I’m a bit late 🙂 but… The message #2 should use some client credentials. This means that you will have not more than 1 client per enterprise. Is this the desired configuration?

    • Hi Luk – better late than never! 😉 The request in message #2 contains a signed SAML assertion that specifies a user in its attributes. The response is an OAuth token allowing the app to submit requests on behalf of that particular user. This exchange can happen for as many users as are in the enterprise. Does this make sense? More on SAML Assertion -> OAuth token at

      • Anonymous

        Thanks for reply! But I’m still not comfortable with this yet. Per OAuth spec the issued access token will allow the client to act on the user’s behalf, but the client here (wrt the SF login server) is “PingFederate” and not the mobile app as might be expected. Of course access token is a bearer token. But (besides it is a bad practice to use others tokens) this means that for all your different mobile apps you’ll have single client per enterprise. This one: makes more sense

        • I take your point about use of tokens, but PingFederate is in a trusted position here, it’s the STS for the enterprise, and it’s essentially proxying between a protocol that the client knows (WS-Trust) and a protocol that Salesforce knows (OAuth 2.0 SAML Assertion profile). I’ll go read that MSFT article and see how that use case maps to this one…

          • Chuck Mortimore

            It’s also important to note that we’ve since introduced the capability to do this on a per-application basis for the Org, so it would be possible to have multiple clients.

          • Anonymous

            So does it now violate the OAuth 2 spec? 🙂 Could you please post the link to this?

  • Nitin Gupta

    Hi Pat,

    I am working on a project and stuck somewhere. I think you are the right person who can give me answer. Please see my points:

    – I have oracle web center (OWC) UI as Partners facing
    – All Partners data is managed and stored in SFDC
    – There is a LDAP system which is used for SSO implementation
    – OWC have SAML based SSO implemented and Partner provides User ID and Password once
    – Partners are re-directed to the SFDC Partner Portal also


    – Now, we have a requirement where SFDC is exposing few web services (SOAP) to OWC
    – I am stuck because to communicate b/w OWC and SFDC on web services we need a valid SFDC session
    – As SSO is implemented I don’t have Partner’s password.
    – Please help me in understanding the same. How could I make this communication?
    – If I use the OAuth 2.0 and 50 different Partners will login then in their updated records what value would be mentioned in Last Modified By field?
    – Please suggest me should I use the PingFederation? Does this work with SOAP based communications? Also, I have SLA in uploading the OWC page in 3 Seconds.

    Please suggest me.

    Nitin Gupta