When you configure a web services security SAML token, you can configure name-value pairs of data, where the name is a property key and the value is a string value that you can use to set internal system configuration properties. You can use these configuration properties, along with the options provided in the administrative console, to control how the SAML token is generated or consumed.
You must have previously attached a policy set and assigned a binding.
or
Then complete the following steps:
The following sections list the available custom properties, and describe how each custom property is used.
The following table lists the callback handler custom properties that can only be used to configure SAML token generator bindings.
Name | Values | Description |
---|---|---|
appliesTo | This custom property does not have a default value. | Use this custom property to specify the AppliesTo for the requested SAML token when a WSS API is used. |
audienceRestriction | Valid values are true and false. The default behavior is true, which includes AudienceRestrictionCondition in the SAML token. | This property applies only to self-issued SAML tokens. Use this custom property to specify whether the AudienceRestrictionCondition element is included in the SAML token. |
authenticationMethod | This custom property does not have a default value. | This property only applies to self-issued SAML tokens. Use this custom property to specify the value for the AuthenticationMethod attribute on the AuthenticationStatement element in the SAML token. When this custom property is specified, the Subject will be contained in an AuthenticationStatement instead of an AttributeStatement. |
com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath | This custom property does not have a default value. | Use this custom property to specify the required configuration data when generating a self-issued SAML token. |
cacheCushion | The default value is 5 minutes. | Use this custom property to specify the amount of time, in minutes, before the expiration time of a SAML token expires and a new token must be issued. For example, if the cacheCushion is set to 5 minutes and the SAML token will expire in 2 minutes, it will not be re-used; a new SAML token will be issued. When the runtime is in the process of caching a SAML token, a token that is beyond the cache cushion will not be cached. |
cacheToken | Valid values are true and false. The default behavior is true, which allows SAML token caching for reuse. | Use this custom property to specify whether a SAML token can be cached for reuse. |
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheEntries | The default value is 250. | Use this JVM custom property to specify the maximum number of cache entries that can be maintained. |
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheTimeout | The default value is 60 minutes. | This property is only used for SAML tokens for which the expiration time is unknown (tokens that are encrypted or an expiration is not included with the token in the response from the STS). For SAML tokens for which the expiration time is unknown, the SamlTokenCacheTimeout is used to substitute for the expiration time. For a new SAML token that will enter the cache under this criteria, its expiration time will be (current_time)+SamlTokenCacheTimeout. The conditions described for the cacheCushion property will still apply, so keep the cacheCushion value in mind when altering the value for the SamlTokenCacheTimeout. |
confirmationMethod | Valid values include bearer, holder-of-key, and sender-vouches. This custom property does not have a default value. | Use this custom property to specify a SAML token subject ConfirmationMethod. |
com.ibm.wsspi.wssecurity.saml.get.SamlToken | This custom property does not have a default value. | Use this custom property to get the SAML token to RequestContext. |
com.ibm.wsspi.wssecurity.saml.put.SamlToken | This custom property does not have a default value. | Use this custom property to set the SAML token to RequestContext. |
failOverToTokenRequest | Valid values are true or false. The default value is true, which means that the web services security runtime always issues a new SAML token if the input token is invalid. | Use this custom property to specify whether the web services security runtime should use the attached policy set to issue a new SAML token if the input SAML token in the RequestContext is invalid. |
com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerURI | This custom property does not have a default value. | Use this custom property to specify the issuer URL in the custom properties. |
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreRef | This custom property does not have a default value. | Use this custom property to specify a reference
to a centrally managed keystore in the custom properties. Sample: name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode |
com.ibm.wsspi.wssecurity.saml.config.issuer.TimeToLiveMilliseconds | The default value is 3600000 (60 minutes). | Use this custom property to specify, in milliseconds, the amount of time that can elapse before a token expires in the custom properties. |
recipientAlias | This custom property does not have a default value. | Use this custom property to specify a target service alias for a certificate. |
signToken | This custom property does not have a default value. | Use this custom property to specify whether a SAML token should be signed with an application message. |
sslConfigAlias | If a value is not specified for this property,
the default SSL alias defined in your system's SSL configuration is
used. This property is optional. |
Use this custom property to specify the alias to an SSL configuration that a WS-Trust client uses to request a SAML token. |
stsURI | This custom property does not have a default value. | Use this custom property to specify the SecurityTokenService address. |
keySize | This custom property does not have a default value. | Use this custom property to specify the KeySize when requesting a SecretKey from STS. |
tokenRequest | Valid values include issue,
propagation, ![]() ![]() |
Use this custom property to specify the SAMLToken
request method. For more information about the values that can be
specified for this property, see the topic ![]() ![]() |
tokenType | This custom property does not have a default value. | Use this custom property to set the required token type to SAMLGenerateCallback |
usekeyType | This custom property is optional. The valid values are KeyValue, X509Certificate, and X509IssuerSerial. | Use this custom property to specify the Usekey type, which tells the client to generate a specific type of key Information. |
WSSConsumingContext | This custom property does not have a default value. | Use this custom property to specify the WSSConsumingContext object that the WS-Trust client uses to request a SAML token. |
WSSGenerationContext | This custom property does not have a default value. | Use this custom property to specify the WSSGenerationContext object that the WS-Trust client uses to request a SAML token. |
The following table lists the callback handler custom properties that can only be used to configure SAML token consumer bindings.
Name | Values | Description |
---|---|---|
allowUnencKeyInHok | Valid values are true or false. The default value is true, which means that unencrypted keys are allowed. | Use this property to direct the SAML token consumer to accept an unencrypted key in a SAML holder-of-key token. |
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheEntries | An integer. The default value is 100. | Use this custom property to specify how many signature cache entries can be maintained. for a SAML consumer token. |
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheTimeout | An integer. The default value is 60 minutes. | Use this custom property to specify how many minutes a SAML token is to be cached. A signature validation does not need to be repeated while the SAML token is cached. |
keyAlias | This custom property does not have a default value. | Use this custom property to specify the key alias for a SAML consumer token. |
keyName | This custom property does not have a default value. | Use this custom property to specify the key name for a SAML consumer token. |
keyPassword | This custom property does not have a default value. | Use this custom property to specify the key password for a SAML consumer token. |
keyStorePassword | This custom property does not have a default value. | Use this custom property to specify the keystore password for a SAML consumer token |
keyStorePath | This custom property does not have a default value. | Use this custom property to specify the keystore file path for a SAML consumer token. |
keyStoreRef | This custom property does not have a default value. | Use this custom property to specify the keystore
reference for a SAML consumer token. Sample: name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode |
keyStoreType | This custom property does not have a default value. | Use this custom property to specify the keystore type for a SAML consumer token. |
signatureRequired | The default value is true. | Use this custom property to specify whether a signature is required on a SAML assertion. |
trustAnySigner | The default value is false. | Use this custom property to specify whether a recipient can trust any certificate that signs a SAML assertion. |
trustedAlias | This custom property does not have a default value. | Use this custom property to specify the trusted STS certificate's alias for a SAML consumer token. |
trustedIssuer_ | The name is specified as trustedIssuer_n where n is an integer. This custom property does not have a default value. | Use this custom property to specify the name of a trusted issuer. |
trustedSubjectDN_ | The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value. | Use this custom property to specify the X509Certificate's SubjectDN name for the trusted issuer. |
trustStorePassword | This custom property does not have a default value. | Use this custom property to specify the truststore password for a SAML consumer token. |
trustStorePath | This custom property does not have a default value. | Use this custom property to specify the truststore file path for a SAML consumer token. |
trustStoreRef | This custom property does not have a default value. | Use this custom property to specify the truststore
reference for a SAML consumer token. Sample: name=myTrustStoreRef managementScope=(cell):myCell:(node):myNode |
trustStoreType | This custom property does not have a default value. | Use this custom property to specify the truststore type name for a SAML consumer token |
validateAudienceRestriction | Valid values are true or false. The default value is false which means that an AudienceRestriction assertion validation is not required. | Use this custom property specify whether an AudienceRestriction assertion must be validated. |
validateOneTimeUse | Valid values are true or false. The default value is true, which means that OneTimeUse assertion validation is required. | Use this custom property to specify whether a OneTimeUse assertion in SAML 2.0, or a DoNotCacheCondition in SAML 1.1 must be validated. |
CRLPATH | This custom property does not have a default value. | Use this custom property to specify the file path to the list of revoked certificates for a SAML consumer token. |
X509PATH | This custom property does not have a default value. | Use this custom property to specify the intermediate X509Certificate file path for a SAML consumer token. |
CRLPATH_ | The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value. | Use this custom property to specify the file path to the list of revoked X509 certificates for a SAML consumer token. |
X509PATH_ | The value specified must be in the format X509_path_n, where n is an integer. This custom property does not have a default value. | Use this custom property to specify the file path for the intermediate X509 certificate for a SAML consumer token. |
The following table lists the callback handler custom properties that can be used to configure both SAML token generator and SAML token consumer bindings.
Name | Values | Description |
---|---|---|
clockSkew | The default value is 5 minutes. | Use this custom property to specify, in minutes,
an adjustment to the times in the self-issued SAML token that the
SAMLGenerateLoginModule creates. The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes. When
a value is specified for this custom property, the following time
adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule
creates:
|
clientLabel | This custom property does not have a default value. | Use this custom property to specify, in bytes, the client label to use for the derived keys whenever a WSS API is used with the requested SAML token. |
serviceLabel | This custom property does not have a default value. | Use this custom property to specify, in bytes, the service label to use for the derived keys whenever a WSS API is used with the requested SAML token. |
keylength | This custom property does not have a default value. | Use this custom property to specify, in bytes, the derived key length to use for the derived keys whenever a WSS API is used with the requested SAML token. |
nonceLength | The default value is 128. | Use this custom property to specify, in bytes, the derived nonce length to use for the derived keys whenever a WSS API is used with the requested SAML token. |
requireDKT | The default value is false. | Use this custom property to specify an option for the derived keys whenever a WSS API is used with the requested SAML token. |
useImpliedDKT | The default value is false. | Use this custom property to specify an option that is used with Implied derived keys whenever a WSS API is used with the requested SAML token. |
The following table lists the callback handler custom properties that can be used to configure trust client generator bindings.
Name | Values | Description |
---|---|---|
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheEntries | The default value is 1000. | Use this custom property to specify the maximum number of STS service instance cache entries that can be maintained. |
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheTimeout | The default value is 60 minutes. | Use this custom property to specify, in minutes, the length of time an STS service instance can be kept in a client side cache. |
keyType | The following keyTypes can be specified for
WS-Trust 1.2:
The following keyTypes can be specified for WS-Trust 1.3:
|
Use this custom property to specify the keyType when making a WS-Trust request to STS. |
wstrustClientBinding | This custom property does not have a default value. | Use this custom property to specify a binding name for the WS-trust client. |
wstrustClientBindingScope | This custom property does not have a default value. | Use this custom property to specify the binding scope for the policy set that is attached to the WS-Trust client. |
wstrustClientCollectionRequest | Valid values are true or false. The default value is false which means that a RequestSecurityToken is used instead of a RequestSecurityTokenCollection. | Use this custom property to specify whether a RequestSecurityTokenCollection is required in a WS-Trust request. |
wstrustClientPolicy | This custom property does not have a default value. | Use this custom property to specify the policy set name for a WS-Trust client. |
wstrustClientSoapVersion | Valid values are 1.1 and 1.2. If no value is specified, the SOAP version defaults to SOAP version that the application client is using. | Use this custom property to specify the SOAP version in a WS-Trust request. |
wstrustClientWSTNamespace | The default value is trust13. | Use this custom property to specify the WS-Trust namespace for a WS-Trust request. Valid values are trust12 and trust13. |