The Web Services Security SAML Token Profile OASIS standard specifies how to use Security Assertion Markup Language (SAML) assertions with the Web Services Security SOAP Message Security specification.
WebSphere® Application Server Version 7.0.0.7 and later supports two versions of the OASIS SAML standard: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 and Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0.
The standard describes the use of SAML assertions as security tokens in the <wsse:Security> header, as defined by the WSS: SOAP Message Security specification. An XML signature can be used to bind the subjects and statements in the SAML assertion to the SOAP message.
Subject confirmation methods define the mechanism by which an entity provides evidence (proof) of the relationship between the subject and the claims of the SAML assertions. The WSS: SAML Token Profile describes the usage of three subject confirmation methods: bearer, holder-of-key, and sender-vouches. WebSphere Application Server Version 7.0.0.9 and later supports all three confirmation methods. When using the bearer subject confirmation method, proof of the relationship between the subject and claims is implicit. No specific steps are taken to establish the relationship.
Since there is no key material associated with a bearer token, protection of the SOAP message, if required, must be performed using a transport level mechanism or another security token, such as an X.509 or Kerberos token, for message level protection. When using the holder-of-key subject confirmation method, proof of the relationship between the subject and claims is established by signing part of the SOAP message with the key specified in the SAML assertion. Since there is key material associated with a holder-of-key token, this token can be used to provide message level protection (signing and encryption) of the SOAP message.
<saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> </saml2:SubjectConfirmation>
The ds:KeyInfo information inside the SubjectConfirmation element identifies a public or secret key that is used to confirm the identity of the subject. The holder-of-key assertion also contains a ds:Signature element that protects the integrity of the confirmation ds:KeyInfo element as established by the assertion authority.
<saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm: holder-of-key </saml:ConfirmationMethod> <ds:KeyInfo> <ds:KeyValue>. . .</ds:KeyValue> </ds:KeyInfo> </saml:SubjectConfirmation>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <saml2:SubjectConfirmationData> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ...... </ds:KeyInfo> </saml2:SubjectConfirmationData> </saml2:SubjectConfirmation>
<saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod> </saml:SubjectConfirmation>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"> </saml2:SubjectConfirmation>
<t:KeyType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey </t:KeyType> <t:KeySize>256</t:KeySize>
<saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#"> <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> </enc:EncryptionMethod> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIB3 . . . vO3bdg</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <enc:CipherData> <enc:CipherValue>P5Kb . . . rOTvII</enc:CipherValue> </enc:CipherData> </enc:EncryptedKey> </ds:KeyInfo> </saml:SubjectConfirmation>
<trust:UseKey> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIGCzCCBPOgAwIBAgIQcSgVwaoQv6dG. . .1GqB </X509Certificate> </X509Data> </KeyInfo> </trust:UseKey>
<saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyValue> <ds:RSAKeyValue> <ds:Modulus>hYHQm. . . ZnH1S0=</ds:Modulus> <ds:Exponent>AQAB</ds:Exponent> </ds:RSAKeyValue> </ds:KeyValue> </ds:KeyInfo> </saml:SubjectConfirmation>