Configure a WS‑Security authentication scheme to verify user identities using credentials obtained from WS‑Security tokens in the SOAP header of a request message. The WS-Security authentication scheme can also validate digital signatures and decrypt XML encrypted headers as necessary..
To configure CA SiteMinder® Web Services Security to validate user identities using WS-Security authentication, complete the following process:
CA SiteMinder® Web Services Security uses the public key certificates of trusted issuers to validate signed WS-Security tokens.
Public key certificates are stored in the certificate data store (CDS). The certificate data store is collocated with the policy store. All Policy Servers that share a common view into the same policy store have access to the same certificates.
The following table shows the certificates that must be present in the CDS to handle your WS‑Security validation requirements.
Token Type |
Required Certificates |
---|---|
SAML Assertion; Sender-vouches |
Certificate of issuing web service consumer application |
SAML Assertion; Holder-of-key |
Certificates of XML request subject and issuing web service consumer application. |
X.509v3; Username (if signed) |
Certificate of trusted issuer |
To obtain security information from WS‑Security headers in incoming XML messages, configure the WS‑Security authentication scheme.
Follow these steps:
The Create Authentication Scheme pane opens.
Authentication scheme settings open.
If you select Username and Password Digest or X509v3 Certificate, the XML Signature Restrictions section is displayed. If you select SAML Assertion, the SAML Token Restrictions section is displayed.
http://www.example.com/soap/MySOAPRole
Default: 30 seconds
The authentication scheme is saved. You can now assign it in application object components or realms.
When specifying an XPath expression to identify a SAML assertion attribute that specifies the user identity for WS‑Security authentication in the Attribute Name/XPATH field, you may need to strip standard prefixes to return the attribute value itself. The XPath substring-after function provides a standard method to perform this operation.
For example, consider a SAML assertion created by the CA SiteMinder SAML Assertion Generator. This assertion contains an attribute “username” that specifies the user identify that you want to use for authentication in the following format:
header:uid=username
To remove the unwanted prefix, “header:uid=”, use the XPath substring-after function in the XPath query in which you specify the target attribute. For example the following Xpath query will return “username” rather than the whole string “header:uid=username”:
substring-after(//SMprofile/NVpair[1]/text(),"header:uid=")
Copyright © 2014 CA.
All rights reserved.
|
|