Secure SAML tokens at the message level by enabling assertion
signing.
Before you begin
Before configuring signing for SAML tokens, you must configure
SAML policy sets and bindings to create SAML tokens as authentication
supporting tokens, with message level integrity protection. For more
information, read about securing messages using SAML. In addition,
the attached SAML bindings must be application-specific bindings,
not general bindings. The transform algorithm used for signing SAML
assertions is different from other signed parts, while only one transform
algorithm is used with general bindings.
About this task
This task specifically addresses steps for how to digitally
sign a SAML token. This task does not address any of the SAML Token
Profile OASIS standard requirements for SAML sender-vouches or SAML
bearer tokens with regards to message parts that must be signed. To
sign SAML assertions, a SOAP message must include a <wsse:SecurityTokenReference>
element in the <wsse:Security> header block. The SecurityTokenReference
(STR) is referenced by the message signature using a <ds:Reference>
element. The security token reference must include a <wsse:KeyIdentifier>
element with the ValueType value, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID,
or http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID,
specifying the referenced assertion identifier. The <ds:Reference>
element must include the URI of the STR-transform algorithm, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0#STR-Transform.
Use of STR-transform ensures that the SAML assertion itself is signed,
not only the <wsse:SecurityTokenReference> element.
Follow these
configuration steps to enable signing SAML tokens at the message level.
Avoid trouble: Using a SAML attribute callback handler is the
only way to add custom attributes to a SAMLToken upon initial creation.
Although you can add attributes to your SAMLToken
object using the SAMLToken.addAttribute method, it will remove the
digital signature on the token if it exists. It also cannot be used
with encrypted SAML tokens or encrypted attributes.gotcha
Procedure
- Configure the message parts.
- From the administrative console, edit
the SAML policy set, then click .
- Under Integrity protection,
click Add.
- Enter a part name for Name
of part to be signed; for example, saml_part.
- Under Elements in Part,
click Add.
- Select XPath Expression.
- Add two XPath expressions.
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
- Click Apply and Save.
- If an application has never been started
using this policy, no further action is required. Otherwise, either
restart the application server or follow the instructions in the Refreshing
policy set configurations using wsadmin scripting article,
for the application server to reload the policy set.
- Modify the client bindings to sign the SAML token.
- From the Service client policy set and bindings panel,
click .
- Modify the currently configured outbound
Signed message part bindings to include the new SAML part that you
created.
Under Request message signature
and encryption protection, select the part reference whose
status is set to Configured. This part reference
will most likely be request:app_signparts.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add, and then click Apply.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click OK, click OK,
and then click OK one more time.
- Update the SAML token GENERATOR with the
custom property to indicate digital signature with Security Token
Reference
Under Authentication tokens, select and edit
the SAML token you want to sign.
- Under Custom property, click New.
- Enter com.ibm.ws.wssecurity.createSTR as
the custom property name.
- Enter true as the value of the custom property.
- Click Apply, and then click Save.
- Restart the application.
- Modify the provider bindings to accept a signed SAML token.
- From the Service provider policy sets and bindings panel,
click .
- Modify the currently configured inbound Signed
message part bindings to include the new SAML part that you created.
Under Request message signature and encryption
protection, select the part reference whose status is
set to Configured. This part reference will
most likely be request:app_signparts.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add, and then click Apply.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click OK, click OK,
and then click OK one more time.
- Click Save.
- Restart the application.