Previous Topic: How to Configure Responses to Produce WS-Security HeadersNext Topic: How to Configure Responses to Produce SAML Session Tickets

Web Services Security GuidesCA SiteMinder WSS Policy Configuration Guide(Optional) Configure Responses to Generate SAML Session Tickets or WS-Security Headers for Outgoing MessagesHow to Configure Responses to Produce WS-Security HeadersWS-Security Response Examples

WS-Security Response Examples

The following examples show how you can use WS‑Security responses.

Example 1

This example shows how to create a response that generates a Username and Password Digest token and uses the enterprise private key to digitally sign the message’s SOAP envelope.

The following table shows the response attributes you must add to the response (all attributes are of type WebAgent-WS‑Security-Token):

Variable Name

Variable Value

Attribute Type

TXM_WSSEC_TOKEN_TYPE

password

Static

TXM_WSSEC_USER_PASSWORD

userpassword

User Attribute

TXM_WSSEC_SIGNATURE

all

Static

Example 2

This example shows how to create a response that generates an X509v3 token and uses the enterprise private key to digitally sign the message’s SOAP envelope.

The following table shows the response attributes you must add to the response (all attributes are of type WebAgent-WS‑Security-Token):

Variable Name

Variable Value

Attribute Type

TXM_WSSEC_TOKEN_TYPE

X509

Static

Example 3

This example shows how to create a response that generates a SAML assertion token using the holder-of-key subject confirmation method, retrieving the subject’s public key from an associated user store.

The following table shows the response attributes you must add to the response (all attributes are of type WebAgent-WS‑Security-Token):

Variable Name

Variable Value

Attribute Type

TXM_WSSEC_TOKEN_TYPE

SAML

Static

TXM_WSSEC_SAML_AFFILIATE

affiliate1

Static

TXM_WSSEC_SAML_SIG
_REQUIRED

hk

Static

TXM_WSSEC_SAML_USER_CERT_SRC

User_Store

Static

TXM_WSSEC_SAML_USER_CERT

usercertificate

User attribute

Example 4

This example shows how to create a response that encrypts an incoming document and deliver the encrypted document to the web service.

The response generates a SAML assertion token using the sender vouches subject confirmation method and encrypts the SAML assertion and message body. The token and other related information are placed in a WS‑Security header identified by the SOAP actor/role samlrole.

The SAML assertion and the message body are encrypted using the public key certificate found in the WS‑Security header with the role pubkeyrole. The rsa-1_5 algorithm should be used to encrypt the symmetric encryption key; the tripledes-cbc algorithm should be used to encrypt the assertion and body data.

The document should be signed before encryption; the document and assertion should also be signed with a sender-vouches signature.

The following table shows the response attributes you must add to the response (all attributes are of type WebAgent-WS‑Security-Token):

Variable Name

Variable Value

Attribute Type

TXM_WSSEC_TOKEN_TYPE

SAML

Static

TXM_WSSEC_SAML_AFFILIATE

affiliate2

Static

TXM_WSSEC_SAML_ROLE

samlrole

Static

TXM_WSSEC_SAML_SIG
_REQUIRED

sv

Static

TXM_WSSEC_SAML_ENCRYPT_PUB_KEY_ROLE

pubkeyrole

Static

TXM_WSSEC_SAML_ENCRYPT_ALG_KEY

rsa-1_5

Static

TXM_WSSEC_SAML_ENCRYPT_ALG_DATA

tripledes-cbc

Static

TXM_WSSEC_SAML_ENCRYPT_ELEMENT

Assertion

Static

TXM_WSSEC_SAML_ENCRYPT_ELEMENT

Body

Static

TXM_WSSEC_SAML_ENCRYPT_OR_SIGN_FIRST

sign

Static

Example 5

This example shows how to create a response that decrypts an incoming encrypted message and passes it to the associated web service in a message with a SAML assertion token.

Variable Name

Variable Value

Attribute Type

TXM_WSSEC_TOKEN_TYPE

SAML

Static

TXM_WSSEC_SAML_AFFILIATE

affiliate2

Static

TXM_WSSEC_SAML_ENCRYPT
_DECRYPT

yes

Static