Secure SAML tokens at the message level by enabling assertion
signing.
Before you begin
Before configuring signing for SAML tokens, you must configure
SAML policy sets and bindings to create SAML tokens as authentication
supporting tokens, with message level integrity protection. For more
information, read about securing messages using SAML. In addition,
the attached SAML bindings must be application-specific bindings,
not general bindings. The transform algorithm used for signing SAML
assertions is different from other signed parts, while only one transform
algorithm is used with general bindings.
About this task
This task specifically addresses steps for
how to digitally sign a SAML token. This task does not address any
of the SAML Token Profile OASIS standard requirements for SAML sender-vouches
or SAML bearer tokens with regards to message parts that must be signed.
To sign SAML assertions, a SOAP message must include a <wsse:SecurityTokenReference>
element in the <wsse:Security> header block. The SecurityTokenReference
(STR) is referenced by the message signature using a <ds:Reference>
element. The security token reference must include a <wsse:KeyIdentifier>
element with the ValueType value, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID,
or http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID,
specifying the referenced assertion identifier. The <ds:Reference>
element must include the URI of the STR-transform algorithm, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0#STR-Transform.
Use of STR-transform ensures that the SAML assertion itself is signed,
not only the <wsse:SecurityTokenReference> element.
Follow these
configuration steps to enable signing SAML tokens at the message level.
Procedure
- Configure the message parts.
- From the administrative console, edit
the SAML policy set, then click .
- Under Integrity protection,
click Add.
- Enter a part name for Name
of part to be signed; for example, saml_part.
- Under Elements in Part,
click Add.
- Select XPath Expression.
- Add two XPath expressions.
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
- Click Apply and Save.
- If an application has never been started
using this policy, no further action is required. Otherwise, either
restart the application server or follow the instructions in the Refreshing
policy set configurations using wsadmin scripting article,
for the application server to reload the policy set.
- Modify the client bindings to sign the SAML
token.
- From the Service client policy set and bindings panel,
click .
- Modify the currently configured outbound
Signed message part bindings to include the new SAML part that you
created.
Under Request message signature
and encryption protection, select the part reference whose
status is set to Configured. This part reference
will most likely be request:app_signparts.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add, and then click Apply.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click OK, click OK,
and then click OK one more time.
- Update the SAML token GENERATOR with the
custom property to indicate digital signature with Security Token
Reference
Under Authentication tokens, select and edit
the SAML token you want to sign.
- Under Custom property, click New.
- In the New field, enter the name of the
custom property that is appropriate for the version of the product
on which you are running.
Best practice: If you are running on Version 7.0.0.11 or higher, specify
the
com.ibm.ws.wssecurity.createSTR custom
property instead of the
signToken custom property.
The com.ibm.ws.wssecurity.createSTR custom property extends the functionality
of the signToken custom property to non-stand-alone security tokens.
bprac
- Enter true as the value of the custom property.
- Click Apply, and then click Save.
- Restart the web services client
application so that the policy set attachment modifications can take
effect.
- Modify the provider bindings to accept a
signed SAML token.
- From the Service provider policy sets and bindings panel,
click .
- Modify the currently configured inbound Signed
message part bindings to include the new SAML part that you created.
Under Request message signature and encryption
protection, select the part reference whose status is
set to Configured. This part reference will
most likely be request:app_signparts.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add, and then click Apply.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click OK, click OK,
and then click OK one more time.
- Click Save.
- Restart the application.