2 questions about SOA security

  I am thinking about a few questions recently.

maybe those questions are common questions when implementing SOA security.

Q1: how to implement an SSO(browser based) solution for heterogeneous web servers?

WebLogic v9 and v10 support SAML, and according to v10 document, WebLogic v10 supports SSO with Mircosoft client and HTTP client. I have not tested yet. I just think if the user's server is tomcat or jboss or websphere or what ever.

There are some solutions, but they are complex.

I decide to try to design a simple solution for browser based SSO, using open source.

maybe this will cost me one or two months.

Q2: how to implement web services SSO?

For a typical SOA environment, a user will face many web services distributed in many systems. if user zhangsan login into system a, he wants to call the workflow service in system b and then he wants to call the hr service in system c. In this scenario  each service checks user identity. So how system a passes user zhangsan identity to system b and c.

SAML 2.0 provides a solution for non-browser client SSO, but I haven't seen an implementation.

I will try to work out this question in few months.