[Fix Pack 9 or later]

Signing SAML tokens at the message level

Secure SAML tokens at the message level by enabling assertion signing.

Before you begin

Before configuring signing for SAML tokens, you must configure SAML policy sets and bindings to create SAML tokens as authentication supporting tokens, with message level integrity protection. For more information, read about securing messages using SAML. In addition, the attached SAML bindings must be application-specific bindings, not general bindings. The transform algorithm used for signing SAML assertions is different from other signed parts, while only one transform algorithm is used with general bindings.

About this task

To sign SAML assertions, a SOAP message must include a <wsse:SecurityTokenReference> element in the <wsse:Security> header block. The SecurityTokenReference (STR) is referenced by the message signature using a <ds:Reference> element. The security token reference must include a <wsse:KeyIdentifier> element with the ValueType value, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID, or http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID, specifying the referenced assertion identifier. The <ds:Reference> element must include the URI of the STR-transform algorithm, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0#STR-Transform. Use of STR-transform ensures that the SAML assertion itself is signed, not only the <wsse:SecurityTokenReference> element.

Follow these configuration steps to enable signing SAML tokens at the message level.

Procedure

  1. Configure the message parts.
    1. From the administrative console, edit the SAML policy set, then click WS-Security > Main policy > Request message part protection.
    2. Select Integrity protection.
    3. Click Add.
    4. Enter a part name for Name of part to be signed; for example, saml_part.
    5. Under Elements in Part, click Add.
    6. Select XPath.
    7. Add two XPath expressions.
      /*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' 
      and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' 
      and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
      and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
      and local-name()='SecurityTokenReference']
      /*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' 
      and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' 
      and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
      and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' 
      and local-name()='SecurityTokenReference']
    8. Click Apply and Save.
    9. Restart the application.
  2. Configure protection and signing for the client.
    1. From the Service client policy set and bindings panel, click WS-Security > Authentication and protection .
    2. Under Request message signature and encryption protection, select a configured resource. The signature of the resource you select includes the SAML token.
      1. From the Available list under Message part reference, select the name of the part to be signed, as created in step 1; for example, saml_part.
      2. Click Add.
      3. In the Assigned list under Message part reference, highlight the name of the part you added; for example, saml_part.
      4. Click Edit.
      5. For the Transform algorithms setting, click New.
      6. Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
      7. Click Apply.
    3. Under Authentication tokens, select and edit the SAML token you want to sign.
      1. Under Custom property, click New.
      2. Enter signToken as the custom property name.
        Note: The custom property is added at the token generator level, although it only applies to the SAML custom token. The property does not apply to other token types.
      3. Enter true as the value of the custom property.
      4. Click Apply.
  3. Configure protection and signing for the service provider.
    1. From the Service provider policy sets and bindings panel, click WS-Security > Authentication and protection .
    2. Under Request message signature and encryption protection, select a configured resource. The signature of the resources you select includes the SAML token.
      1. From the Available list under Message part reference, select the name of the part to be signed, as created in step 1; for example, saml_part.
      2. Click Add.
      3. In the Assigned list under Message part reference, highlight the name of the part you added; for example, saml_part.
      4. Click Edit.
      5. For the Transform algorithms setting, click New.
      6. Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
      7. Click Apply.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 7:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-dist&topic=twbs_signsamltoken
File name: twbs_signsamltoken.html