Previous Topic: WS-Security Authentication IntroducedNext Topic: How to Configure SAML Session Ticket Authentication to Verify User Identities Obtained from SAML Session Ticket Assertions

Web Services Security GuidesCA SiteMinder WSS Policy Configuration GuideConfigure Authentication Schemes to Verify User Identities Obtained from Web Service RequestsWS-Security Authentication IntroducedHow to Configure WS-Security Authentication to Verify User Identities Obtained from WS-Security Headers

How to Configure WS-Security Authentication to Verify User Identities Obtained from WS-Security Headers

Configure a WS‑Security authentication scheme to verify user identities using credentials obtained from WS‑Security tokens in the SOAP header of a request message. The WS-Security authentication scheme can also validate digital signatures and decrypt XML encrypted headers as necessary..

Diagram showing the procedures required to configure WS-Security authentication

To configure CA SiteMinder WSS to validate user identities using WS-Security authentication, complete the following process:

  1. Verify that certificates required to validate signed tokens are present in the certificate data store
  2. Configure the WS-Security authentication scheme
Verify That Certificates Required to Validate Signed Tokens are Present in the Certificate Data Store

CA SiteMinder WSS uses the public key certificates of trusted issuers to validate signed WS-Security tokens.

Public key certificates are stored in the certificate data store (CDS). The certificate data store is collocated with the policy store. All Policy Servers that share a common view into the same policy store have access to the same certificates.

The following table shows the certificates that must be present in the CDS to handle your WS‑Security validation requirements.

Token Type

Required Certificates

SAML Assertion; Sender-vouches

Certificate of issuing web service consumer application

SAML Assertion; Holder-of-key

Certificates of XML request subject and issuing web service consumer application.

X.509v3; Username (if signed)

Certificate of trusted issuer

Note: If you remove a trusted certificate from the CDS, run the Flush All cache management function from the Administrative UI. This function empties the Policy Server and WSS agent local cache. Access the cache management function by selecting Administration, Policy Server, Cache Management.

More information:

Key and Certificate Management

Import Trusted Certificates and Key/Certificate Pairs

Configure the WS-Security Authentication Scheme

To obtain security information from WS‑Security headers in incoming XML messages, configure the WS‑Security authentication scheme.

Follow these steps:

  1. Click Infrastructure, Authentication.
  2. Click Web Services Authentication Schemes, Create Authentication Scheme.

    The Create Authentication Scheme pane opens.

    Authentication scheme settings open.

  3. Enter a name and a description for the scheme in the General section.
  4. Select WS‑Security from the Authentication Scheme Type list.
  5. Specify a protection level.
  6. In the Scheme Setup section, select one of the following required Security Token Types:

    If you select Username and Password Digest or X509v3 Certificate, the XML Signature Restrictions section is displayed. If you select SAML Assertion, the SAML Token Restrictions section is displayed.

  7. If you selected the Username and Password Digest or X509v3 Certificate security token type, specify how restrictions should be applied in the XML Signature Restrictions section.
  8. If you selected the SAML Assertion security token type, complete the options in the SAML Token Restrictions section to specify how token restrictions should be applied.
  9. (Optional) For messages with multiple WS‑Security headers, specify the value of the SOAP actor (role) attribute that identifies the header element from which CA SiteMinder WSS should obtain security tokens in the SOAP Role field (located in the Advanced group box). For example: 
    http://www.example.com/soap/MySOAPRole
  10. (Optional) To prevent authentication errors caused by clock skew between token producer and consumer systems, specify the maximum allowable skew time in the Timestamp Skew Time field (located in the Advanced group box).

    Default: 30 seconds

  11. Click Submit.

    The authentication scheme is saved. You can now assign it in application object components or realms.

(Optional) Strip Standard Prefixes from XPath Queries That Identify WS-Security SAML Assertion Attributes

When specifying an XPath expression to identify a SAML assertion attribute that specifies the user identity for WS‑Security authentication in the Attribute Name/XPATH field, you may need to strip standard prefixes to return the attribute value itself. The XPath substring-after function provides a standard method to perform this operation.

For example, consider a SAML assertion created by the CA SiteMinder SAML Assertion Generator. This assertion contains an attribute “username” that specifies the user identify that you want to use for authentication in the following format:

header:uid=username

To remove the unwanted prefix, “header:uid=”, use the XPath substring-after function in the XPath query in which you specify the target attribute. For example the following Xpath query will return “username” rather than the whole string “header:uid=username”:

substring-after(//SMprofile/NVpair[1]/text(),"header:uid=")