Secure SAML tokens at the message level by enabling assertion
signing.
Before you begin
Before configuring signing for SAML tokens, you must configure
SAML policy sets and bindings to create SAML tokens as authentication
supporting tokens, with message level integrity protection. For more
information, read about securing messages using SAML. In addition,
the attached SAML bindings must be application-specific bindings,
not general bindings. The transform algorithm used for signing SAML
assertions is different from other signed parts, while only one transform
algorithm is used with general bindings.
About this task
This task specifically addresses steps for
how to digitally sign a SAML token. This task does not address any
of the SAML Token Profile OASIS standard requirements for SAML sender-vouches
or SAML bearer tokens with regards to message parts that must be signed.
To sign SAML assertions, a SOAP message must include a <wsse:SecurityTokenReference>
element in the <wsse:Security> header block. The SecurityTokenReference
(STR) is referenced by the message signature using a <ds:Reference>
element. The security token reference must include a <wsse:KeyIdentifier>
element with the ValueType value, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID,
or http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID,
specifying the referenced assertion identifier. The <ds:Reference>
element must include the URI of the STR-transform algorithm, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0#STR-Transform.
Use of STR-transform ensures that the SAML assertion itself is signed,
not only the <wsse:SecurityTokenReference> element.
Follow these
configuration steps to enable signing SAML tokens at the message level.
![[Updated in July 2011]](../../deltaend.gif)
jul2011
Procedure
- Configure the message parts.
- From the administrative console, edit the SAML policy
set, then click .
- Under Integrity protection, click Add.
- Enter a part name for Name of part to be
signed; for example, saml_part.
- Under Elements in Part, click Add.
- Select XPath Expression.
- Add two XPath expressions.
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
- Click Apply and Save.
- If an application has never been started using this
policy, no further action is required. Otherwise, either restart the
application server or follow the instructions in the Refreshing
policy set configurations using wsadmin scripting article,
for the application server to reload the policy set.
![[Updated in July 2011]](../../deltaend.gif)
jul2011
- Configure protection and signing for the client.
- From the Service client policy set and bindings panel,
click .
- Under Request message signature and encryption
protection, select a configured resource. The signature
of the resource you select includes the SAML token.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click Apply.
- Under Authentication tokens, select and edit the SAML
token you want to sign.
- Under Custom property, click New.
- Enter signToken as the custom property
name.
Note: The custom property is added at the token generator level,
although it only applies to the SAML custom token. The property does
not apply to other token types.
- Enter true as the value of the custom property.
- Click Apply.
- Restart the application.
- Configure protection and signing for the service provider.
- From the Service provider policy sets and bindings panel,
click .
- Under Request message signature and encryption
protection, select a configured resource. The signature
of the resources you select includes the SAML token.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click Apply.
- Restart the application.