Configure policy sets and binding documents to enable a web services client to request SAML assertions from an external Security Token Service (STS).
The procedure to configure application-specific bindings to access an STS is more involved. The administrative console is designed to manage policy set attachments to communicate with a web service provider. The console is not designed to manage a second set of policy set attachments to communicate to an STS. However, you can use the administrative console to manage a policy set attachment to access an STS, as described in the procedure.
Use the administrative console to attach the policy set that is used to access an STS to a web services client, and then create and modify an application-specific binding. Once the binding configuration is complete, detach the policy set and binding from the web services client. This procedure is necessary because the next step is to attach the policy set and bindings to communicate to the target web services provider. Detached application-specific bindings are not deleted from the file system, so the web services client bindings custom properties can successfully refer to the detached application-specific bindings.
The procedure uses a default application policy set, Username WSHTTPS default, as an example to describe the configuration steps to access the STS. The steps can also be applied to other policy sets. The web services application, JaxWSServicesSamples, is used in the example. JaxWSServicesSamples is not installed by default.
[8/23/09 18:26:59:252 CDT] 0000001f TrustSecurity 3 Security Token Service response:
[8/23/09 18:26:59:392 CDT] 0000001f TrustSecurity 3
<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</a:Action>
<a:RelatesTo>urn:uuid:663A7B27BA8EB2CF9D1251070029934</a:RelatesTo>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="_0">
<u:Created>2009-08-23T23:26:57.664Z</u:Created>
<u:Expires>2009-08-23T23:31:57.664Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse>
<trust:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-08-23T23:26:57.648Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-08-24T09:26:57.648Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>https://taishan.austin.ibm.com:9443/WSSampleSei/EchoService12</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1"
AssertionID="_3c656382-9916-4e5f-9a16-fe0287dfc409" Issuer="http://svt193.svt193domain.com/Trust" IssueInstant="2009-08-23T23:26:57.663Z">
<saml:Conditions NotBefore="2009-08-23T23:26:57.648Z" NotOnOrAfter="2009-08-24T09:26:57.648Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://taishan.austin.ibm.com:9443/WSSampleSei/EchoService12</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
AuthenticationInstant="2009-08-23T23:26:57.640Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_3c656382-9916-4e5f-9a16-fe0287dfc409">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>YGySZX4VPv25R+oyzFpE0/T/tjs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>eP68...Vr08=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MII...ymqg3</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3c656382-9916-4e5f-9a16-fe0287dfc409</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3c656382-9916-4e5f-9a16-fe0287dfc409</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>