Release Notes › Web Services Security (formerly SOA Security Manager) Release Notes › Changes to Existing Features

Changes to Existing Features

WS-Security Authentication Scheme Changed to Improve Security When Handling SAML Assertion Tokens

Earlier releases of SOA Security Manager did not require you to specify a subject confirmation method when configuring the WS-Security authentication scheme to handle SAML assertion tokens. When configured in this way, the authentication scheme would verify identities from SAML assertions with any subject confirmation method without validating supporting signatures.

In CA SiteMinder WSS 12.51, the WS-Security authentication scheme requires you to specify which subject confirmation method (or methods) to allow. Also, CA SiteMinder WSS 12.51 now validates supporting signatures (where applicable) by default.

Action required:

Action is required if you are upgrading from an earlier release in which you configured a WS-Security authentication scheme to handle SAML assertion tokens.

• Specify all allowable subject confirmation methods.
• If you must accept assertions without supporting signatures, unset the Verify Supporting Signatures option. However, we recommend that you ask your web service client partner to include supporting signatures and only unset this option if they cannot do so.