Creating a WS-Security SAML caller configuration

A WS-Security provider configuration that includes a caller for a SAML token can be configured with the <callerToken> element in the server.xml file.

Procedure

  1. Configure the WS-Security Security Assertion Markup Language (SAML) caller configuration in the server.xml file with the <callerToken> element. The following example shows a sample WS-Security provider configuration that includes a caller for a SAML Token:
    <wsSecurityProvider ...>
      ...
      <callerToken name="SamlToken"  userIdentifier="userIdentifierString" groupIdentifier="groupIdentifierString" userUniqueIdentifier="uniqueIdentifierString" realmIdentifier="realmIdentifierString"
                   includeTokenInSubject="false" mapToUserRegistry="User" realmName="customRealmName" allowCustomCacheKey="false"/>
     ...
    </wsSecurityProvider>

    The only required attribute in this configuration is ""name"". By default, the authenticated subject is created by using the information from the SAML assertion and it does not require a local user registry to do the authentication.

  2. Optional: You can configure the following optional attributes to help create an authenticated subject from SAML assertion. The default values for some of these optional attributes are:
    includeTokenInSubject=true
    mapToUserRegistry="No"
    allowCustomCacheKey="true"
    • When mapToUserRegistry is ""No"", the name of the SAML issuer is used as realm, and the NameID is used as the principal name and unique security name in the subject, and the group member is not included.
    • When mapToUserRegistry is" "User"", the SAML user is validated against your on-premises user registry, and then the runtime creates the user subject based on the on-premises registry.
    • When mapToUserRegistry is ""Group"", SAML group is validated against your on-premises user registry, and then the runtime creates the subject with the validated groups. This option is similar to mapToUserRegistry=No, except for the verification of the group memberships against the on-premises user registry.

    You can configure additional attributes such as userIdentifier, realmIdentifier, groupIdentifier, and userUniqueIdentifier to create an authenticated subject with a customized user name, realm name, group memberships, and unique security identifier.

    • userIdentifier: Use this attribute to select a SAML attribute name whose value is used as the principal name.
    • groupIdentifier: Use this attribute to select a SAML attribute name whose values are included as group members in the subject.
    • realmName: Use this attribute to explicitly specify the realm name to identify a SAML principal for the authenticated subject. The default realm name is the SAML issuer name.
  3. Optional: You can implement the Liberty SAML SPI, com.ibm.wsspi.security.saml2.UserCredentialResolver as a user feature to dynamically map a SAML assertion to a Liberty subject.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Monday, 5 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twlp_wssec_caller_saml_config
File name: twlp_wssec_caller_saml_config.html