Configuring policy sets and bindings to communicate with STS
Configure policy sets and binding documents to enable a web services client to request SAML assertions from an external Security Token Service (STS).
Before you begin
About this task
The procedure to configure application-specific bindings to access an STS is more involved. The administrative console is designed to manage policy set attachments to communicate with a web service provider. The console is not designed to manage a second set of policy set attachments to communicate to an STS. However, you can use the administrative console to manage a policy set attachment to access an STS, as described in the procedure.
Use the administrative console to attach the policy set that is used to access an STS to a web services client, and then create and modify an application-specific binding. When the binding configuration is complete, detach the policy set and binding from the web services client. This procedure is necessary because the next step is to attach the policy set and bindings to communicate to the target web services provider. Detached application-specific bindings are not deleted from the file system, so the web services client bindings custom properties can successfully refer to the detached application-specific bindings.
The procedure uses a default application policy set, Username WSHTTPS default, as an example to describe the configuration steps to access the STS. The steps can also be applied to other policy sets. The web services application, JaxWSServicesSamples, is used in the example. JaxWSServicesSamples is not installed by default.
Procedure
Results
- Attach a policy set and bindings that propagate SAML tokens. For example, attach the SAML11 Bearer WSHTTPS default policy set and the Saml Bearer Client sample general binding to the web service client.
- The Username WSHTTPS default policy set and an application-specific binding, SamlTCSample, are referenced in the Saml Bearer Client sample binding, and are set up to access the external STS.
- The external STS SSL certificate has been retrieved and added to the NodeDefaultTrustStore truststore.
- To confirm that you successfully enabled the function, you can
configure the trace setting, com.ibm.ws.wssecurity.*=all=enabled.
The trace shows that SAML assertions are issued by the external STS,
for example:
[8/23/09 18:26:59:252 CDT] 0000001f TrustSecurity 3 Security Token Service response: [8/23/09 18:26:59:392 CDT] 0000001f TrustSecurity 3 <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <s:Header> <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</a:Action> <a:RelatesTo>urn:uuid:663A7B27BA8EB2CF9D1251070029934</a:RelatesTo> <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1"> <u:Timestamp u:Id="_0"> <u:Created>2009-08-23T23:26:57.664Z</u:Created> <u:Expires>2009-08-23T23:31:57.664Z</u:Expires> </u:Timestamp> </o:Security> </s:Header> <s:Body> <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <trust:RequestSecurityTokenResponse> <trust:Lifetime> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-08-23T23:26:57.648Z</wsu:Created> <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-08-24T09:26:57.648Z</wsu:Expires> </trust:Lifetime> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <a:EndpointReference> <a:Address>https://taishan.austin.ibm.com:9443/WSSampleSei/EchoService12</a:Address> </a:EndpointReference> </wsp:AppliesTo> <trust:RequestedSecurityToken> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_3c656382-9916-4e5f-9a16-fe0287dfc409" Issuer="http://svt193.svt193domain.com/Trust" IssueInstant="2009-08-23T23:26:57.663Z"> <saml:Conditions NotBefore="2009-08-23T23:26:57.648Z" NotOnOrAfter="2009-08-24T09:26:57.648Z"> <saml:AudienceRestrictionCondition> <saml:Audience>https://taishan.austin.ibm.com:9443/WSSampleSei/EchoService12</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-08-23T23:26:57.640Z"> <saml:Subject> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_3c656382-9916-4e5f-9a16-fe0287dfc409"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>YGySZX4VPv25R+oyzFpE0/T/tjs=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>eP68...Vr08=</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MII...ymqg3</X509Certificate> </X509Data> </KeyInfo> </ds:Signature> </saml:Assertion> </trust:RequestedSecurityToken> <trust:RequestedAttachedReference> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3c656382-9916-4e5f-9a16-fe0287dfc409</o:KeyIdentifier> </o:SecurityTokenReference> </trust:RequestedAttachedReference> <trust:RequestedUnattachedReference> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3c656382-9916-4e5f-9a16-fe0287dfc409</o:KeyIdentifier> </o:SecurityTokenReference> </trust:RequestedUnattachedReference> <trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType> <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType> </trust:RequestSecurityTokenResponse> </trust:RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>