TXM_SAML_Location

(required)

• Envelope_Header
  (default)
• HTTP_Header
• Cookie_Header

Static

Instructs the SOA Agent to insert the assertion into the SOAP envelope message header, an HTTP header, or a cookie header.

If Envelope_Header is the value, the client must provide an XML message for the assertion.

If HTTP_Header is the value, an HTTP header named tmsamlsessionticket is added to the HTTP headers delivered to the web service

If Cookie_Header is the value, the assertion is inserted into a cookie named tmsamlsession and returned to the caller in an HTTP Set-Cookie header. The cookie can also be read by the web service application at the URI protected by SOA Security Manager.

Note: Do not attempt to place more than one signature in a cookie—a 4 KB limit on the size of cookies that can be returned by the SOA Agent results in no cookie being generated if it would be greater than 4KB.

TXM_Force_Logon

(optional)

Yes or No

Static

Forces the client to authenticate using the authentication scheme for the target realm.

This variable is useful if a client tries to get an assertion when logging on with only a cookie. The client is allowed access to the web service, but does not receive an assertion because the client has only a cookie.

To inform the user that they have to logoff and then get rechallenged to obtain the assertion, the web service can be set up to redirect the client to a log-off URI. The user can then come back to the web service and be challenged again to obtain the assertion.

Note: To find out how to set up a log-off URI, see the CA SiteMinder Agent Guide.

TXM_Issuer

(optional)

URI

Static

Indicates the issuer of the assertion. Value is placed in the issuer URI field in the generated assertion.

If the assertion is sent to a third party, the third party can use this variable to validate the assertion by sending it back to the specified URI.

TXM_Namequalifier

(optional)

Domain name

Static

Indicates the domain name of the subject of the assertion.

TXM_Sign

(optional)

Yes or No

Static

Tells the SOA Agent to sign the SOAP document payload with the private key dynamically generated by the Policy Server.

NOTE: If you use this variable, do not use the TXM_Public_Key variable.

TXM_Sign_Assertion

(optional)

Yes or No

Static

Tells the SOA Agent to sign the assertion that is part of the SOAP document. This ensures that no one can alter the assertion.

TXM_Public_Key

(optional)

• XMLDSIG
• Client_Cert
• User_Store

Static

Tells the SOA Agent where to get the public key that it binds to the session ticket.

XMLDSIG—Tells SOA Agent to get the key from the document with the digital certificate. (Web service must be protected by the XML Digital Signature authentication scheme.)

Client_Cert—Indicates the client certificate sent over the SSL connection

User_Store—Tells SOA Agent to get the key from the user store.

Note: Do not use this variable with TXM_Sign.

TXM_User_Cert

LDAP user directories only

(optional)

usercertificate

This value is the most common for LDAP user directories. If you have used a custom naming scheme for your LDAP directory, the value will be different.

User Attribute

Specifies the LDAP query string that the SOA Agent uses to retrieve the public key from the user store.

This variable is required when TXM_Public_Key is set to User_Store.