When creating a new SAML token, you can specify configuration properties to control how the token is configured. The configuration properties are stored in a properties file containing name/value pairs. The properties describe provider-side information such as the issuer location, and the keystore and truststore file paths.
Starting with WebSphere® Application Server version 8, you can also use the administrative console or the setSAMLIssuerConfigInBinding command task to specify a self-issued SAML token's configuration as custom properties in the requester's outbound configuration in the general bindings or in the application-specific bindings. You can also specify a self-issued SAML token's configuration as custom properties of com.ibm.websphere.wssecurity.wssapi.WSSGenerationContext objects when programming to Web Services Security (WSS) Application Programming interfaces (APIs). Migrate self-issued SAML token configuration data from the SAMLIssuerConfig.properties file to the bindings. Refer to the “Managing self-issue SAML token configuration using wsadmin commands” section for additional information.
The SAMLIssuerConfig.properties file usage is deprecated in WebSphere Application Server version 8. Do not specify a SAMLIssuerConfig.properties file using a Java System property. The com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory.newDefaultProviderConfig() method returns a com.ibm.wsspi.wssecurity.saml.config.ProviderConfig object with empty contents when no SAMLIssuerConfig.properties file is specified, which is the recommended programming style. Use ProviderConfig setter methods to populate its contents.
A single configuration file, SAMLIssuerConfig.properties, containing the provider-side properties is created and stored on each server. On a WebSphere server, the file is located in the server-level repository, or in the cell-level repository. In an environment that is not based on WebSphere, the file location is defined by a Java system property. The name of this property is com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath.
app_server_root/profiles/$PROFILE/config/cells/$CELLNAME/nodes/$NODENAME/servers/$SERVERNAME/SAMLIssuerConfig.properties
app_server_root/profiles/$PROFILE/config/cells/$CELLNAME/sts/SAMLIssuerConfig.properties
Property name | Sample property value | Property description |
---|---|---|
com.ibm.wsspi.wssecurity.dsig.oldEnvelopedSignature | true | Use only if you are setting the com.ibm.wsspi.wssecurity.dsig.enableEnvelopedSignatureProperty JVM custom property to true. See the topic Java Virtual Machine (JVM) custom properties for a description of when you might want to use this JVM custom property. |
IssuerFormat | urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | Value for the Format attribute of the Issuer
element in the SAML token. Note: If you want to add the Format attribute
to the Issuer element, you must specify this property.
|
IssuerURI | http://www.websphere.ibm.com/SAML/SelfIssuer | The URI of the issuer. |
TimeToLiveMilliseconds | 3600000 | Amount of time before expiration of the token. |
KeyStoreRef | ![]() ![]() |
A reference to a managed keystore from security.xml. |
KeyStorePath | app_server_root/etc/ws-security/samples/dsig-receiver.ks | The location of the keystore file. Note: You
must modify this value from the default value to match the path location
for your system.
|
KeyStoreType | JKS | The keystore type. |
KeyStorePassword | password | The password of the keystore file (the password must be XOR encoded). For more information, read about encoding passwords in files. |
KeyAlias | soapprovider | The alias of the key as defined in the keystore file. |
KeyName | CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP | The name of the key as defined in the keystore file. |
KeyPassword | password | The password of the private key as defined in the keystore file (the password must be XOR encoded). |
TrustStoreRef | ![]() ![]() |
A reference to a managed keystore from security.xml. |
TrustStorePath | app_server_root/etc/ws-security/samples/dsig-receiver.ks | The location of the truststore file. Note: You
must modify this value from the default value to match the path location
for your system.
|
TrustStoreType | JKS | The truststore type. |
TrustStorePassword | password | The password of the truststore file. |
AttributeProvider | com.mycompany.SAML.AttributeProviderImpl | Implementation class of attribute provider. ![]() Note: The class must implement javax.security.auth.callback.CallbackHandler.
The class should receive the com.ibm.websphere.wssecurity.callbackhandler.Saml11AttributeCallback
or com.ibm.websphere.wssecurity.callbackhandler.Saml20AttributeCallback
callback object, then update the SAMLAttribute list received from
the getSAMLAttributes method invoked from that object.
![]() |
NameIDProvider | com.mycompany.SAML.NameIDProviderImpl | Implementation class of name ID provider. ![]() Note: The class must implement javax.security.auth.callback.CallbackHandler.
The class should receive the com.ibm.websphere.wssecurity.callbackhandler.NameIDCallback
callback object, then call the setSAMLNameID method on that object
to update the NameID.
![]() |
IssuerURI=http://www.websphere.ibm.com/SAML/SelfIssuer TimeToLiveMilliseconds=3600000 KeyStorePath=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks KeyStoreType=JKS KeyStorePassword={xor}LDotKTot KeyAlias=soapprovider KeyName=CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP KeyPassword={xor}LDotKTot TrustStorePath=${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks TrustStoreType=JKS TrustStorePassword={xor}LDotKTot