Configuration GuidesPolicy Server Configuration GuideAuthentication SchemesXML Digital Signature Authentication › Configure the XML DSIG Authentication Scheme

Previous Topic: Required XML Document Elements for XML-DSIG Authentication

Next Topic: SAML Session Ticket Authentication
Configure the XML DSIG Authentication Scheme

To obtain authentication information from digital signatures associated with incoming XML documents, you configure the XML DSIG authentication scheme.

Note: The following procedure assumes you are creating a new object. You can also copy the properties of an existing object to create an object. More information exists in Duplicate Policy Server Objects.

To configure the authentication scheme

  1. Click Infrastructure, Authentication.
  2. Click SOA Authentication Scheme, Create SOA Authentication Scheme.

    The Create Authentication Scheme pane opens.

  3. Click OK.

    Authentication scheme settings open.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Enter a name and a description for the scheme in the General group box.
  5. Select XML Digital Signature from the Authentication Scheme list.
  6. Specify a protection level.
  7. In the Scheme Setup group box, select how much of the XML document content is signed. A digital signature can apply only to one portion of an XML document. The choices are as follows:

    Note: If the XML document uses raw XML, select the Must cover entire document option, because the entire document is the payload. With raw XML, no envelope headers or body tags exist to distinguish the payload from other content.

  8. To perform authentication over an SSL connection, select the Require Secure Transport Layer check box.
  9. Click Submit.

    The authentication scheme is saved and may be assigned to application components (realms).

  10. Configure certificate mapping for the XML-DSIG scheme.

    A certificate mapping defines how data in the certificate is mapped to form a user Distinguished Name (DN), which the Policy Server uses to authenticate the client.