Configuration GuidesPolicy Server Configuration GuideResponses and Response GroupsConfigure Responses for WS‑Security Header ProductionConfigure a WS‑Security Response › Variables for Generating SAML Tokens

Previous Topic: Variables for Generating Username and Password and X.509 Certificate Tokens

Next Topic: Variables for Encrypting/Decrypting WS‑Security Messages
Variables for Generating SAML Tokens

The following table describes response variable name/value pairs associated with generating SAML tokens for use in WS-Security tokens.

Variable Name

Variable Value

Attribute Type

Meaning

TXM_WSSEC_SAML20_ASSERTION
  • Yes
  • No (default)

Static

Specifies whether the generated SAML assertion token is SAML 2.0 compliant.

TXM_WSSEC_SAML20_SPID

(required for SAML 2.0)

SAML_20_audience_value

Static

Specifies the value of the <saml:Audience> element in a generated SAML 2.0 assertion token.

TXM_WSSEC_SAML_AFFILIATE

affiliate_or_service_provider_object_name

Static

Identifies the affiliate (SAML 1.x) or service provider (SAML 2.0) object that configures how SAML assertions will be produced for inclusion in SAML tokens.

TXM_WSSEC_
SAML_ROLE

(optional)

SAML_assertion_token_role_name

Static

Specifies the value of a SOAP role attribute that identifies the WS-Security header element containing the SAML assertion token.

TXM_WSSEC_SAML_SIG_REQUIRED
  • HK
  • SV
  • SVS

Static

Specifies how the assertion and document should be signed:

  • HK (for holder-of-key)—Only the assertion will be signed (enveloped).
  • SV (for sender-vouches with SSL-based issuer confirmation)—Both assertion and document will be signed (external).
  • SVS (for sender-vouches with signature-based issuer validation)—Assertion is explicitly signed (enveloped) in addition to SV signing. (This option is only supported for SAML 1.x assertions.)

Any other value or no value results in the default—no signing.

TXM_WSSEC_
SAML_USER_CERT_SRC
  • XMLDSIG
  • Client_Cert
  • User_Store

Static

If TXM_WSSEC_SAML_SIG
_REQUIRED is set to HK, this value specifies where SOA Security Manager should obtain the web service consumer’s public key:

  • XMLDSIG—The public key will be retrieved from a signed request sent to a web service protected by the XML DSIG authentication scheme.
  • Client_Cert—The public key will be retrieved from SSL.
  • User_Store—the public key should be retrieved from an associated user store. If this value is set, the TXM_WSSEC_SAML_USER_CERT response variable must also be configured.

    Note: If TXM_WSSEC_SAML_SIG
    _REQUIRED is set to SV, this option is ignored because no user public key is required.

TXM_WSSEC_
SAML_USER_CERT

usercertificate

This value is the most common for LDAP user directories. If you have used a custom naming scheme for your LDAP directory, the value will be different.

User Attribute

If TXM_WSSEC_SAML_USER_
CERT_SRC is set to User_Store, specifies the LDAP query string that the SOA Agent uses to retrieve the web service consumer’s public key from the user store for signing SAML assertion tokens.

Note: SOA Security Manager automatically completes the query string using the value you specify.

TXM_WSSEC_
SAML_TIMESTAMP

(optional)
  • True
  • False (default)

Static

A value of True causes a timestamp to be generated for use in SAML assertions.

Note: If TXM_WSSEC_SAML_SIG
_REQUIRED is set to SV or SVS, the timestamp is signed.

TXM_WSSEC_
SAML_TIMESTAMP _EXPIRY

(optional)

message _lifespan_in_seconds

Static

Tells the agent to add an expiry element to the timestamp used in SAML assertions. The value of this expiry element is an absolute time based on the time of assertion creation and the specified message lifespan.

More information:

SAML Assertion Token

Configuration Requirements for Generating SAML Assertions

Supported Authentication Schemes for Producing Each WS-Security Header Type