SAMLToken with X509Token symmetric for message protection

A SAML token is used for authentication. The SAML token in the request and the SOAP body in the request and response are signed and encrypted with X509Token symmetric message protection. There is also a message timestamp.

With X509Token symmetric protection, an ephemeral key is created to sign and encrypt the message. The ephemeral key is encrypted by using the receiver's public certificate.

In the following sample, the token reference is using a RequireThumbprintReference. You can change the policy to use a RequireIssuerSerialReference or RequireKeyIdentifierReference. You can also modify this policy to use derived keys from an ephemeral key to secure the message exchange by adding a <sp:RequireDerivedKeys /> assertion. This policy template is best used if the client can only use a SAML token to authenticate itself, and if the message exchange must be signed and encrypted.

The following policy shows a SAML token for authentication and X509Token symmetric for message protection:
<wsp:Policy wsu:Id="X509SymmetricForMessageAndSamlForClient">
  <wsp:ExactlyOne>
    <wsp:All>
      <sp:SignedEncryptedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <wsp:Policy>
          <sp:SamlToken
                sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
            <wsp:Policy>
              <sp:WssSamlV20Token11/>
            </wsp:Policy>
          </sp:SamlToken>
        </wsp:Policy>
      </sp:SignedEncryptedSupportingTokens>
      <sp:SymmetricBinding>
        <wsp:Policy>
          <sp:ProtectionToken>
            <wsp:Policy>
              <sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                <wsp:Policy>
                  <sp:RequireThumbprintReference />
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:ProtectionToken>
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:Basic128 />
            </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict />
            </wsp:Policy>
          </sp:Layout>
          <sp:IncludeTimestamp />
          <sp:OnlySignEntireHeadersAndBody />
          <sp:EncryptSignature />
        </wsp:Policy>
      </sp:SymmetricBinding>
      <sp:Wss11>
        <wsp:Policy>
          <sp:MustSupportRefKeyIdentifier />
          <sp:MustSupportRefIssuerSerial />
          <sp:MustSupportRefThumbprint />
          <sp:MustSupportRefEncryptedKey />
          <sp:RequireSignatureConfirmation />
        </wsp:Policy>
      </sp:Wss11>
      <sp:SignedParts>
        <sp:Body />
      </sp:SignedParts>
      <sp:EncryptedParts>
        <sp:Body />
      </sp:EncryptedParts>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

Icono que indica el tipo de tema Tema de concepto



Icono de indicación de fecha y hora Última actualización: Tuesday, 6 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=cwlp_wssec_templates_scenario11
Nombre de archivo:cwlp_wssec_templates_scenario11.html