Configure the client and provider policy set attachments
and bindings for the SAML sender-vouches token, which includes the
sender-vouches confirmation method. The sender-vouches confirmation
method is used when a server needs to propagate the client identity
or behavior of the client.
Before you begin
This function is enabled in WebSphere® Application Server Version 7.0.0.9
and later releases. To use the function, you must first install WebSphere Application Server Version 7.0.0.9,
which includes SAML sender-vouches support. After installing Version
7.0.0.9, you must create one or more new server profiles, or add SAML
configuration settings to an existing profile. For example, in a WebSphere Application Server, Network Deployment environment,
there are multiple profiles. Read about setting up the SAML configuration
for more information. The sender-vouches token must be protected using
either message-level security or HTTPS transport. Therefore, you must
determine which type of security you want to use.
About this task
WebSphere Application Server with
SAML provides numerous default SAML token application policy sets
and several general client and provider binding samples. The policy
set for the SAML sender-vouches token is similar to the SAML bearer
token policy set. The procedure shows how to create a sender-vouches
policy set based on the attached SAML bearer token policy set. Before
you can configure the client and provider bindings for the SAML sender-vouches
token, you must attach SAML bearer token client and provider bindings
to the JAX-WS application. For more information about the bearer policy
sets, read about configuring client and provider bindings for the
SAML bearer token.
You must use application-specific custom bindings
instead of general bindings for sender-vouches. Therefore, if you
configure sender-vouches policy sets and bindings from attached bearer
token policy sets and bindings, you must ensure that the assigned
bindings are application-specific bindings.
The procedure for
creating the sender-vouches policy set begins with attaching the Web
services bearer token policy sets.
Procedure
Complete the associated steps to configure the selected
protection method. Follow the first set of steps to protect messages
using message-level security, or follow the second set of steps to
protect messages using HTTPS transport.
- To protect messages using message-level security, attach the
SAML20 Bearer WSSecurity default policy set and configure the associated
application-specific bindings.
- Attach the SAML20 Bearer WSSecurity default policy set. Refer
to steps 1 and 2 in the topic, Configuring client and provider bindings
for the SAML bearer token.
- Create and configure application-specific bindings for the client
and the service provider. Refer to steps 3 to 9 in the topic Configuring
client and provider bindings for the SAML bearer token. For the binding
names, enter names that include sender-vouches, such as SAML20SenderVouches_Client
and SAML20SenderVouches_Service.
- The sender of SOAP messages (attesting entity) satisfies the sender-vouches
subject confirmation requirement by including a <ds:Signature>
element in the corresponding <wsse:Security> header. The initiator
key is used to sign the relevant message content and assertions. Modify
the sender-vouches bindings to satisfy the vouching requirement.
- Refer to the topic, Signing SAML tokens at the message level for
information about modifying the sender-vouches bindings.
- Edit both the Client policy set and bindings and
the Service provider policy sets and bindings.
Click .
- Click the name of the authentication token that is configured
in the attached SAML bearer policy set; for example, request:SAMLToken20Bearer.
- Click Callback handler.
- Under Custom Properties, select confirmationMethod.
- Click Edit.
- Change the value of the confirmationMethod property to sender-vouches.
- To protect messages using HTTPS transport, attach the SAML20
Bearer WSHHTPS default policy set and configure the associated application-specific
bindings.
- Attach the SAML20 Bearer WSHHTPS default policy set. Refer to
steps 1 and 2 in the topic, Configuring policy sets and bindings to
communicate with the Security Token Service (STS).
- Create and configure application-specific bindings for the client
and the service provider. Refer to steps 3 to 5 in the topic, Configuring
policy sets and bindings to communicate with STS. For the binding
names, enter names that include sender-vouches, such as sslSamlSenderVouches_Client
and sslSamlSenderVouches_Service.
- Set the required SAML SubjectConfirmation method to the sender-vouches
method.
- Edit both the Client policy set and bindings and
the Service provider policy sets and bindings.
Click .
- Click the name of the authentication token configured in the attached
SAML bearer policy set. For example, request:SAMLToken20Bearer.
- Click Callback handler.
- Under Custom Properties, select confirmationMethod.
- Click Edit.
- Change the value of the confirmationMethod property to sender-vouches.
Use X.509 client certificate authentication over
SSL to satisfy the sender-vouches subject confirmation requirement.
The configuration steps vary on the SOAP message receiver side depending
on whether SSL connections end at the internal HTTP server or at an
external HTTP server. An external HTTP server might be a web server,
a reverse proxy security server, a proxy server, and so on. ![[aug2010]](../../deltaend.gif)
aug2010
![[aug2010]](../../delta.gif)
When client certificate authentication is required,
the internal HTTP server accepts a client SSL connection request under
one of the following conditions:
- The X.509 certificate for the client exists in the trust store.
- The X.509 certificate is issued by a trusted entity or party,
which means that the X.509 certificate for the issuer exists in the
trust store.
Whether you add a web services client X.509 certificate or the
issuer X.509 client certificate into the HTTP server trust store depends
on your computing environment.
![[aug2010]](../../deltaend.gif)
aug2010