Secure SAML tokens at the message level by enabling assertion
signing.
Before you begin
Before configuring signing for SAML tokens, you must configure
SAML policy sets and bindings to create SAML tokens as authentication
supporting tokens, with message level integrity protection. For more
information, read about securing messages using SAML. In addition,
the attached SAML bindings must be application-specific bindings,
not general bindings. The transform algorithm used for signing SAML
assertions is different from other signed parts, while only one transform
algorithm is used with general bindings.
About this task
This task specifically addresses steps for how to digitally
sign a SAML token. This task does not address any of the SAML Token
Profile OASIS standard requirements for SAML sender-vouches or SAML
bearer tokens with regards to message parts that must be signed. To
sign SAML assertions, a SOAP message must include a <wsse:SecurityTokenReference>
element in the <wsse:Security> header block. The SecurityTokenReference
(STR) is referenced by the message signature using a <ds:Reference>
element. The security token reference must include a <wsse:KeyIdentifier>
element with the ValueType value, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID,
or http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID,
specifying the referenced assertion identifier. The <ds:Reference>
element must include the URI of the STR-transform algorithm, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0#STR-Transform.
Use of STR-transform ensures that the SAML assertion itself is signed,
not only the <wsse:SecurityTokenReference> element.
Follow these
configuration steps to enable signing SAML tokens at the message level.
Avoid trouble: Using a SAML attribute callback
handler is the only way to add custom attributes to a SAMLToken upon
initial creation. Although you can add attributes to your SAMLToken
object using the SAMLToken.addAttribute method, it will remove the
digital signature on the token if it exists. It also cannot be used
with encrypted SAML tokens or encrypted attributes.
gotcha