Previous Topic: Responses OverviewNext Topic: WS-Security Response Examples


How to Configure Responses to Produce WS-Security Headers

To configure CA SiteMinder® Web Services Security to produce WS-Security headers, create a response and associate it with resources in a web service security policy. This response data is used by the SiteMinder WSS Agent to generate WS‑Security headers. The SiteMinder WSS Agent then inserts these headers into the SOAP message header and delivers them to the protected web service.

Use variable types, if needed, to pass data back to the web service. Variables are resolved by the Policy Server at run time, when it generates the response.

Diagram illustrating how to configure responses to produce WS-Security headers

To configure responses to produce WS-Security Headers for outgoing messages, do the following procedures:

  1. Verify certificate requirements.
  2. Review supported authentication schemes for producing different WS-Security token types.
  3. If required, configure CA SiteMinder® Web Services Security to produce SAML assertions.
  4. Configure a response to produce WS-Security headers.

More information:

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

Verify Certificate Requirements

Before you configure a response to produce WS‑Security headers, verify that the following requirements are met:

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

You can configure responses to produce any type of WS-Security token upon successful authorization of a request. However, not every authentication scheme gathers all the necessary information (username, clear text password, SOAP message) from an incoming request to create every type of token.

If a response is configured to create a token that requires anything that the configured authentication scheme does not provide, header creation fails. Verify that the authentication method that you plan to use is suitable to produce the WS-Security token that you want to produce in response.

The following table shows which WS-Security tokens can be produced for each authentication method.

 

 

WS-Security Token Types That Can be Produced

Authentication Method

 

Username and Password

Username and Password Digest

SAML

X.509

Basic (SiteMinder WSS Agent for Web Servers only)

 

No

Yes

No

No

XML-DCC

 

Yes

Yes

Yes

Yes

XML-DSIG

 

No

No

Yes

Yes

SAML Session Ticket

 

No

No

Yes

Yes

WS-Security Username and Password Token

 

Yes

Yes

Yes

Yes

WS-Security Username and Password Digest Token

 

No

Yes

Yes

Yes

WS-Security SAML Token

 

No

No

Yes

Yes

WS-Security X.509 Token

 

No

No

Yes

Yes

SiteMinder Session (SMSESSION) Cookie

 

No

No

No

No

Configure CA SiteMinder® Web Services Security to Generate SAML Assertions

If you are configuring CA SiteMinder® Web Services Security to add WS-Security headers containing SAML assertions tokens to outgoing messages, you must first perform some additional configuration in the Administrative UI

In all SAML token generation situations, you must create an Affiliate domain. Additionally, you must perform the following steps depending on the version of SAML tokens you need to generate:

Note: Affiliate domains and related SAML token functionality are implemented as part of legacy federation on the Policy Server.

SAML 1.x Assertion Generator

If you are configuring CA SiteMinder® Web Services Security to add WS-Security tokens containing SAML 1.x assertions to SOAP documents for consumption by other web services, you must configure the SAML Assertion Generator to produce the SAML 1.1 assertions that will be used in those tokens.

Note: The SAML Assertion Generator is a component of CA SiteMinder® legacy federation on the Policy Server.

The SAML Assertion Generator uses static configuration data from two sources to determine how to construct assertions:

SAML Assertion Generator Properties File

Specifies domain-wide SAML assertion generation parameters

Affiliate Objects

Define a set of parameters for the SAML Assertion Generator

Once configured, the SAML Assertion Generator is triggered to generate an assertion when a WS-Security SAML response (which specifies the affiliate to use to generate the assertion and dynamic information about how the assertion and message should be signed) is triggered by an authorizing policy.

Configure the AMAssertionGenerator.properties File

The AMAssertionGenerator.properties file contains domain-wide configuration parameters required for generating SAML assertions.

To configure the AMAssertionGenerator.properties file for CA SiteMinder® Web Services Security

  1. Navigate to the following location: policy_server_home/config/properties
  2. Open the AMAssertionGenerator.properties file in a text editor.
  3. Modify the following parameters:
    AssertionIssuerID

    Specifies the URL of the authentication web service that is issuing the assertion. Must match the Issuer DN in the enterprise certificate. This value is used for unsigned assertions. For example:

    AssertionIssuerID = http://www.acmewidget.com/ordering

    SecurityDomain

    Specifies the domain name of the enterprise issuing the assertion. For example:

    SecurityDomain = www.example.com

    SourceID

    Not used by CA SiteMinder® Web Services Security.

  4. Save the file and exit the text editor.
  5. Restart the Policy Server. (Changes made to the AmAssertionGenerator.properties file will not be picked up by the Policy Server until it is restarted.)

Configure Affiliate Domains and Affiliate Objects

You require an affiliate domain containing and affiliate object to configure the SAML Assertion Generator produce SAML 1.x assertions in WS-Security SAML tokens.

To configure affiliate domains and affiliate objects, follow the associated procedures in Federation Manager Guide: Legacy Federation. However, because CA SiteMinder® Web Services Security does not use the affiliate object to define an affiliate organization, you do not need to specify all the options.

Note: Affiliate objects configured for CA SiteMinder® Web Services Security do not define the affiliate organization for which the assertion is intended. Assertions generated for CA SiteMinder® Web Services Security can be sent to any web service protected by the WS-Security authentication scheme (or similarly capable third-party security application).

The following list summarizes the affiliate configuration parameters that CA SiteMinder® Web Services Security uses to generate WS-Security SAML tokens. The wizard may require you to enter values for other parameters, but these are not used by CA SiteMinder® Web Services Security.

General page

General section: Name

Specifies the name of the affiliate object (must be unique across all affiliate domains).

This name is referenced by WS-Security policy responses (by defining a txm_wssec_saml_affiliate attribute whose value matches the name of the affiliate object).

General section: Active

Activates the affiliate object.

This option must be set for CA SiteMinder® Web Services Security to produce SAML 1.x assertions.

Restrictions section: Time

(Optional) Specifies times when assertion can be issued.

Restrictions section: IP Address

(Optional) Specifies IP addresses that are allowed to generate SAML assertions.

User page

Add Members

Specifies the users and groups (from the user directory or directories defined in the affiliate domain) for whom assertions should be generated.

Assertions page

General section: Audience

(Optional) Specifies the URI of a document that describes the terms and conditions of the agreement between the token issuer and consumer. This value is added to the assertion and can be used for authentication purposes. (If a request’s assertion token contains an audience value, that value must match one specified in the WS-Security scheme for the request to be authenticated.)

Additionally, the web service can parse the actual audience document to obtain additional information.

General section: Validity Duration Second(s)

(Optional) Specifies the amount of time, in seconds, that the assertion will be valid.

General section: Skew Time Second(s)

(Optional) Specifies the difference, in seconds, between the system clock time of the SAML assertion producer and the system clock time of the SAML assertion consumer.

Session section: Shared Sessioning

Not used by CA SiteMinder® Web Services Security (leave option unset).

Attributes section: Add

(Optional) If specified, an attribute statement will be included in the assertion that can be used for use in authentication and authorization decisions.

Configure SAML 2.0 Service Providers

SAML Service Provider objects define parameters used by the SAML Assertion Generator to produce SAML 2.0 assertions for use in WS-Security SAML tokens.

Note: When you configure a service provider object for use by CA SiteMinder® Web Services Security, you are not defining a service provider organization for which the assertion is intended. Assertions generated for CA SiteMinder® Web Services Security can be sent to any web service protected by the WS-Security authentication scheme (or similarly capable third-party security application).

To configure SAML Service Provider objects, generally follow the associated procedures in the CA SiteMinder Federation Security Services Guide. However, because CA SiteMinder® Web Services Security does not use the affiliate object to define a service provider organization, you do not need to specify all the options. Fields whose use is different for use by CA SiteMinder® Web Services Security are described below.

Name

Specifies the name of the service provider object (must be unique across all affiliate domains). This name is referenced by WS-Security policy responses (by defining a txm_wssec_saml_affiliate attribute whose value matches the name of the affiliate object).

Enabled

Sets the Enabled check box to activate the service provider object. This option must be set for CA SiteMinder® Web Services Security to produce SAML 2.0 assertions.

Authentication URL

Not used by CA SiteMinder® Web Services Security. However, a valid value is required. CA recommends using "http:\\localhost\"

Application URL

Not used by CA SiteMinder® Web Services Security.

SSO Tab: Bindings

Choose the HTTP-Post option.

Configure a Response to Produce WS-Security Headers

To define the properties of WS-Security headers you want CA SiteMinder® Web Services Security to produce, create a WS-Security header response in an application security policy.

Note: If you are using the domain security model, create a WS-Security header response in the web service domain.

Follow these steps:

  1. Create an application object or modify an existing application object that defines the security policy for a web service.
  2. Click the Response tab.
  3. Click Create Response.

    The Create Application Response pane opens.

  4. Type the response name in the General section.
  5. Add response attributes that define the properties of the WS-Security headers, by doing the following steps:
    1. Click Create Response Attribute. The Create Response Attribute pane that opens
    2. Select the WebAgent-WS-Security-Token response attribute type from the Attribute drop-down list in the Attribute Type section.
    3. Select the attribute type (Static, User Attribute, DN Attribute, or Active Response) in the Attribute Kind section.

      The fields on the Attribute Fields group box are updated to match the specified attribute type.

    4. Specify a required name/value pair (listed in the following sections) in the Attribute Fields section. Enter values directly in the Variable Name and Variable Value fields or populate those fields with valid values from the Select a Name and Select a Value drop-down lists.
    5. Specify Cache Value or Recalculate value every ... seconds on the Attribute Caching group box.
    6. Click Submit.

      The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Create Response Attribute pane.

  6. Create further response attributes as required.
  7. Click OK.

    The Create Response Task is submitted for processing and you are returned to the Responses tab.

More information:

(Mandatory) Response Attribute Variable for Specifying the Generated WS-Security Token Type

Response Attribute Variables for Encrypting/Decrypting WS-Security Messages

Response Attribute Variables for Handling WS-Security Headers

(Mandatory) Response Attribute Variable for Specifying the Generated WS-Security Token Type

The TXM_WSSEC_TOKEN_TYPE variable name/value pair determines the WS‑Security token type to generate. A response attribute that defines TXM_WSSEC_TOKEN_TYPE is required in all WS-Security header responses.

TXM_WSSEC_TOKEN_TYPE

Specifies the type of WS‑Security token the SiteMinder WSS Agent should create and add to the WS‑Security header for message authentication:

Attribute kind: Static

Variable value: One of the following:

More information:

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

Response Attribute Variables for Generating Username and Password and X.509 Certificate Tokens

The following table describes the response variable name/value pairs for generating username and password (digest or clear text) and X.509 certificate tokens in WS-Security headers. That is, if the TXM_WSSEC_TOKEN_TYPE response attribute variable is set to password, password_nodigest, or X509.

Variable Name

Variable Value

Attribute Type

Meaning

TXM_WSSEC_USER_PASSWORD

(Required)

 

userpassword

(Value most common for LDAP user directories -- if you have used a custom naming scheme for your LDAP directory, the value will be different.)

User Attribute

Specifies the LDAP query string that the SiteMinder WSS Agent uses to retrieve the web service consumer’s password from the user store. This value is then placed in the token.

Or

password

Static

Specifies a static password value to be used in the token.

TXM_WSSEC_ROLE

(Optional)

token_role_name

Static

Specifies the value of a SOAP role attribute that identifies the WS‑Security header element containing the Username and Password or X.509 token.

TXM_WSSEC_TIMESTAMP

(optional)

  • True
  • False

Static

If True, tells the agent to add a wsu:Timestamp element to the WS‑Security SOAP header that specifies the time that the message was created

TXM_WSSEC_TIMESTAMP _EXPIRY

(Valid only if TXM_WSSEC_TIMESTAMP is True)

message lifespan in seconds

Static

Tells the agent to add a wsu:Expires element to the wsu:Timestamp element in the WS‑Security SOAP header. The value of the wsu:Expires element is an absolute time based on the time of message creation and the specified message lifespan.

TXM_WSSEC_SIGNATURE

(optional)

  • all
  • body_ts
  • body
  • headers

Static

For WS‑Security tokens of type password or X509, tells the agent to retrieve the enterprise private key from the certificate data store (CDS) and use it to digitally sign all or part of the SOAP document:

  • all—the generated signature will cover the entire SOAP envelope.
  • body_ts—the generated signature will cover the SOAP body and the generated <wsu:Timestamp> element. If a timestamp response attribute is not configured, a message will be logged and the signature will cover only the SOAP body.
  • body—the generated signature will cover the SOAP body.
  • headers—the generated signature will cover the SOAP header containing the generated/modified WS‑Security element.

By default, tokens are signed using RSA-SHA1.

TXM_WSSEC_SIGNATURE_ALG

(Valid only if TXM_WSSEC_SIGNATURE is set)

  • rsa-sha1 (default)
  • rsa-sha256

Static

  • For WS‑Security tokens of type password or X509, defines the signature algorithm the agent uses to sign the part of the SOAP document defined by TXM_WSSEC_SIGNATURE.

More information:

Username and Password Digest Token

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

Response Attribute Variables for Generating SAML Tokens

The following table describes the response attribute variable name/value pairs for generating SAML tokens in WS-Security headers. That is, if the TXM_WSSEC_TOKEN_TYPE response attribute variable is set to SAML.

Variable Name

Variable Value

Attribute Type

Meaning

TXM_WSSEC_SAML20_ASSERTION

(Required for SAML 2.0)

  • Yes
  • No (default)

Static

Specifies whether the generated SAML assertion token is SAML 2.0 compliant.

TXM_WSSEC_SAML20_SPID

(required for SAML 2.0)

SAML_20_audience_value

Static

Specifies the value of the <saml:Audience> element in a generated SAML 2.0 assertion token.

TXM_WSSEC_SAML_AFFILIATE

(Required)

affiliate_or_service_provider_object_name

Static

Identifies the affiliate (SAML 1.x) or service provider (SAML 2.0) object that configures how SAML assertions will be produced for inclusion in SAML tokens.

TXM_WSSEC_
SAML_ROLE

(optional)

SAML_assertion_token_role_name

Static

Specifies the value of a SOAP role attribute that identifies the WS-Security header element containing the SAML assertion token.

TXM_WSSEC_SAML_SIG_REQUIRED

  • HK
  • SV
  • SVS

Static

Specifies how the assertion and document should be signed:

  • HK (for holder-of-key)—Only the assertion will be signed (enveloped).
  • SV (for sender-vouches with SSL-based issuer confirmation)—Both assertion and document will be signed (external).
  • SVS (for sender-vouches with signature-based issuer validation)—Assertion is explicitly signed (enveloped) in addition to SV signing. (This option is only supported for SAML 1.x assertions.)

Any other value or no value results in the default—an assertion with a bearer confirmation method.

TXM_WSSEC_
SAML_USER_CERT_SRC

(Required for holder-of-key signing)

  • XMLDSIG
  • Client_Cert
  • User_Store

Static

If TXM_WSSEC_SAML_SIG_REQUIRED is set to HK, this value specifies where CA SiteMinder® Web Services Security should obtain the web service consumer’s public key:

  • XMLDSIG—The public key will be retrieved from a signed request sent to a web service protected by the XML DSIG authentication scheme.
  • Client_Cert—The public key will be retrieved from SSL.
  • User_Store—the public key should be retrieved from an associated user store. If this value is set, the TXM_WSSEC_SAML_USER_CERT response variable must also be configured.

    Note: If TXM_WSSEC_SAML_SIG
    _REQUIRED is set to SV, this option is ignored because no user public key is required.

TXM_WSSEC_
SAML_USER_CERT

(Required if web service consumer public key is obtained from a user store for signing)

usercertificate

This value is the most common for LDAP user directories. If you have used a custom naming scheme for your LDAP directory, the value will be different.

User Attribute

If TXM_WSSEC_SAML_USER_
CERT_SRC is set to User_Store, specifies the LDAP query string that the SiteMinder WSS Agent uses to retrieve the web service consumer’s public key from the user store for signing SAML assertion tokens.

Note: CA SiteMinder® Web Services Security automatically completes the query string using the value you specify.

TXM_WSSEC_
SAML_TIMESTAMP

(optional)

  • True
  • False (default)

Static

A value of True causes a timestamp to be generated for use in SAML assertions.

Note: If TXM_WSSEC_SAML_SIG
_REQUIRED is set to SV or SVS, the timestamp is signed.

TXM_WSSEC_
SAML_TIMESTAMP _EXPIRY

(optional)

message _lifespan_in_seconds

Static

Tells the agent to add an expiry element to the timestamp used in SAML assertions. The value of this expiry element is an absolute time based on the time of assertion creation and the specified message lifespan.

More information:

WS-Security SAML Assertion Token

Configure CA SiteMinder® Web Services Security to Generate SAML Assertions

Review Supported Authentication Schemes for Producing Different WS-Security Header Types

Response Attribute Variables for Encrypting/Decrypting WS-Security Messages

The following table describes response attribute variable name/value pairs that can be configured to tell the SiteMinder WSS Agent to encrypt message elements or to pass a decrypted version of a message to the recipient web service.

Note: There are two versions of each XML encryption-related name/value pair—use the former for use with messages with username/password or X.509 tokens, use the latter for use with messages with SAML tokens.

Variable Name

Variable Value

Attribute Type

Meaning

TXM_WSSEC_ENCRYPT_PUB_KEY_ROLE

or

TXM_WSSEC_SAML_ENCRYPT_PUB_KEY_ROLE

(required)

name_of_WS‑Security_token_consumer

Static

Specifies the value of a SOAP role attribute that identifies the WS‑Security header element containing the recipient's X.509 certificate. The public key in this certificate is used to encrypt the symmetric key. The corresponding private key must be held by the intended message recipient.

This element is required. If no role is specified, the variable must be declared with a null value; CA SiteMinder® Web Services Security will then obtain the key in the WS‑Security header with no role, of which only one is allowed.

TXM_WSSEC_ENCRYPT_ DECRYPT

or

TXM_WSSEC_SAML_ENCR YPT_DECRYPT

  • True
  • False (default)

Static

Specifies whether the SiteMinder WSS Agent should pass an incoming encrypted message to the web service in its encrypted or decrypted form.

If True, the SiteMinder WSS Agent will replace the current message with the decrypted version of the message, if available.

TXM_WSSEC_ENCRYPT_ ELEMENT

or

TXM_WS SEC_SAML_ENCRYPT_ELEMENT

  • UsernameToken
  • Assertion
  • Body

Static

Identifies the message element to be encrypted.

You should add one such name value/pair for each element you want encrypted. For example, configure one name/value pair for the message body and one name/value pair for the token.

For TXM_WSSEC_ENCRYPT_
ELEMENT:

If UsernameToken, Username and Password and Username and Password Digest tokens will be encrypted.

If Body, the message body will be encrypted.

For TXM_WSSEC_SAML_
ENCRYPT_ELEMENT:

If Assertion, SAML assertion token will be encrypted.

If Body, the message body will be encrypted.

TXM_WSSEC_ENCRYPT_ OR_SIGN_FIRST

or

TXM_WSSEC_SAML_ ENCRYPT_OR_SIGN_FIRST

  • Sign (default)
  • Encrypt

Static

Indicates whether encryption or signing should be performed first.

TXM_WSSEC_ENCRYPT_ ALG_KEY

or

TXM_WSSEC_SAML_ENC RYPT_ALG_KEY

  • rsa-1_5
    (default)
  • rsa_oaep

Static

Indicates the encryption algorithm to use to encrypt the symmetric encryption key.

TXM_WSS EC_ENCRYPT_ALG_DATA

or

TXM_WSSEC_SAML_ENC RYPT_ALG_DATA

  • tripledes-cbc (default)
  • aes128-cbc
  • aes256-cbc
  • aes192-cbc

Static

Indicates the encryption algorithm to use to encrypt the data element or elements that have been specified using TXM_WSSEC_ENCRYPT[_SAML]
_ELEMENT variables.

Response Attribute Variables for Handling WS-Security Headers

The following table describes response attribute variable name/value pairs that can be configured to tell the SiteMinder WSS Agent how to handle the mustUnderstand attribute in WS‑Security request , or to remove the mustUnderstand or the entire security token from messages passed to the recipient web service.

Variable Name

Variable Value

Attribute Type

Meaning

TXM_WSSEC_MUST_UNDERSTAND

(optional)

  • True
  • False
  • Not set (default)

Static

Determines how the SiteMinder WSS Agent behaves with respect to the mustUnderstand attribute when consuming and producing messages.

For specifics of the behavior of this variable when consuming and producing headers, see TXM_WSSEC_MUST_UNDERSTAND Response Variable Effect Detail.

TXM_WSSEC_REMOVE

(optional)

  • True
  • False (default)

Static

Determines whether the SiteMinder WSS Agent removes WS-Security headers from messages.

  • If True, the WS-Security header for a specified actor/role (or the default header if no actor/role is defined) is removed from the inbound document. This setting effectively scrubs credentials.
  • (Default) If False, no change is made to the request document.

More information:

TXM_WSSEC_MUST_UNDERSTAND Response Variable Effect Detail

TXM_WSSEC_MUST_UNDERSTAND Response Variable Effect Detail

The following table describes the exact behavior of the SiteMinder WSS Agent when consuming and producing WS‑Security tokens with different values of the TXM_WSSEC_MUST_UNDERSTAND response variable name/value pair.

TXM_WSSEC_MUST_UNDERSTAND Value

Behavior when Consuming WS‑Security Tokens

Behavior when Producing WS‑Security Tokens

Not set

If present in the WS‑Security header, leaves mustUnderstand="1".

Places mustUnderstand="1" in the generated WS‑Security header

False

If present in the WS‑Security header, removes mustUnderstand="1"

Does not place mustUnderstand="1" in the generated WS‑Security header

True

If present in the WS‑Security header, leaves mustUnderstand="1".

Places mustUnderstand="1" in the generated WS‑Security header