Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure messages using SAML


Signing SAML tokens at the message level

Secure SAML tokens at the message level by enabling assertion signing. Before configuring signing for SAML tokens, configure SAML policy sets and bindings to create SAML tokens as authentication supporting tokens, with message level integrity protection. For more information, read about securing messages using SAML. In addition, the attached SAML bindings must be application-specific bindings, not general bindings. The transform algorithm used for signing SAML assertions is different from other signed parts, while only one transform algorithm is used with general bindings.

This task specifically addresses steps for how to digitally sign a SAML token. This task does not address any of the SAML Token Profile OASIS standard requirements for SAML sender-vouches or SAML bearer tokens with regards to message parts that must be signed. To sign SAML assertions, a SOAP message must include a <wsse:SecurityTokenReference> element in the <wsse:Security> header block. The SecurityTokenReference (STR) is referenced by the message signature using a <ds:Reference> element. The security token reference must include a <wsse:KeyIdentifier> element with the ValueType value, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID, or http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID, specifying the referenced assertion identifier. The <ds:Reference> element must include the URI of the STR-transform algorithm, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0#STR-Transform. Use of STR-transform ensures that the SAML assertion itself is signed, not only the <wsse:SecurityTokenReference> element.

Follow these configuration steps to enable signing SAML tokens at the message level.


Procedure

  1. Configure the message parts.

    1. From the admin console, edit the SAML policy set, then click WS-Security > Main policy > Request message part protection.

    2. Under Integrity protection, click Add.

    3. Enter a part name for Name of part to be signed; for example, saml_part.

    4. Under Elements in Part, click Add.

    5. Select XPath Expression.

    6. Add two XPath expressions. 
      /*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']

      /*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']

    7. Click Apply and Save.

    8. If an application has never been started using this policy, no further action is required. Otherwise, either restart the application server or follow the instructions in the Refresh policy set configuration article, for the application server to reload the policy set.

  2. Configure protection and signing for the client.

    1. From the Service client.policy set and bindings panel, click WS-Security > Authentication and protection .
    2. Under Request message signature and encryption protection, select a configured resource. The signature of the resource you select includes the SAML token.

      1. From the Available list under Message part reference, select the name of the part to be signed, as created in step 1; for example, saml_part.

      2. Click Add.

      3. In the Assigned list under Message part reference, highlight the name of the part you added; for example, saml_part.

      4. Click Edit.

      5. For the Transform algorithms setting, click New.

      6. Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.

      7. Click Apply.

    3. Under Authentication tokens, select and edit the SAML token to sign.

      1. Under Custom property, click New.

      2. Enter signToken as the custom property name.

        The custom property is added at the token generator level, although it only applies to the SAML custom token. The property does not apply to other token types.

      3. Enter true as the value of the custom property.

      4. Click Apply.

    4. Restart the application.

  3. Configure protection and signing for the service provider.

    1. From the Service provider policy sets and bindings panel, click WS-Security > Authentication and protection .

    2. Under Request message signature and encryption protection, select a configured resource. The signature of the resources you select includes the SAML token.

      1. From the Available list under Message part reference, select the name of the part to be signed, as created in step 1; for example, saml_part.

      2. Click Add.

      3. In the Assigned list under Message part reference, highlight the name of the part you added; for example, saml_part.

      4. Click Edit.

      5. For the Transform algorithms setting, click New.

      6. Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.

      7. Click Apply.

    3. Restart the application.


Secure messages using SAML
Configure client and provider bindings for the SAML sender-vouches token
Configure client and provider bindings for the SAML bearer token
Refresh policy set configuration

+

Search Tips   |   Advanced Search