To configure CA SiteMinder® Web Services Security to produce SAML Session Tickets, create a response and associate it with resources in a web service authorization policy. This response data is used by the SiteMinder WSS Agent to generate SAML Session Tickets. The SiteMinder WSS Agent then delivers the SAML Session Ticket to the protected web service.
Use variable types, if needed, to pass data back to the web service. Variables are resolved by the Policy Server at run time, when it generates the response.
To configure responses to produce WS-Security Headers for outgoing messages, do the following procedures:
If the public keys used in assertions are going to be stored in the user directory, define an attribute in your directory to store these public keys, and make sure it is available to the Policy Server.
Note: This is not required if the public key is included in the client’s submitted XML document or obtained from a certificate over the SSL link.
To define the properties of the SAML Session Ticket you want CA SiteMinder® Web Services Security to produce, create a SAML Session Ticket response in an application security policy.
Note: If you are using the domain security model, create a SAML Session Ticket response in the web service domain.
Follow these steps:
The Create Application Response pane opens.
The fields on the Attribute Fields group box are updated to match the specified attribute type.
The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Create Response Attribute pane.
The Create Response Task is submitted for processing and you are returned to the Responses tab.
Note:
The following table lists the response attribute variable name/value pairs specific to the WebAgent-SAML-Session-Ticket-Variable attribute. You can use these variables to build assertions.
Note: You can configure other response variables with the SAML Session Ticket attribute; however, they are ignored by CA SiteMinder® Web Services Security for the assertion and are handled as standard response attributes by CA SiteMinder®.
Variable Name |
Variable Value |
Attribute Kind |
Meaning |
---|---|---|---|
TXM_SAML_Location (required) |
|
Static |
Instructs the SiteMinder WSS Agent to insert the assertion into the SOAP envelope message header, an HTTP header, or a cookie header. If Envelope_Header is the value, the client must provide an XML message for the assertion. If HTTP_Header is the value, an HTTP header named tmsamlsessionticket is added to the HTTP headers delivered to the web service If Cookie_Header is the value, the assertion is inserted into a cookie named tmsamlsession and returned to the caller in an HTTP Set-Cookie header. The cookie can also be read by the web service application at the URI protected by CA SiteMinder® Web Services Security. Note: Do not attempt to place more than one signature in a cookie—a 4 KB limit on the size of cookies that can be returned by the SiteMinder WSS Agent results in no cookie being generated if it would be greater than 4KB. |
TXM_Force_Logon (optional) |
Yes or No |
Static |
Forces the client to authenticate using the authentication scheme for the target realm. This variable is useful if a client tries to get an assertion when logging on with only a cookie. The client is allowed access to the web service, but does not receive an assertion because the client has only a cookie. To inform the user that they have to logoff and then get rechallenged to obtain the assertion, the web service can be set up to redirect the client to a log-off URI. The user can then come back to the web service and be challenged again to obtain the assertion. Note: To find out how to set up a log-off URI, see the Web Agent Configuration Guide. |
TXM_Issuer (optional) |
URI |
Static |
Indicates the issuer of the assertion. Value is placed in the issuer URI field in the generated assertion. If the assertion is sent to a third party, the third party can use this variable to validate the assertion by sending it back to the specified URI. |
TXM_Namequalifier (optional) |
Domain name |
Static |
Indicates the domain name of the subject of the assertion. |
TXM_Sign (optional) |
Yes or No |
Static |
Tells the SiteMinder WSS Agent to sign the SOAP document payload with the private key dynamically generated by the Policy Server. NOTE: If you use this variable, do not use the TXM_Public_Key variable. |
TXM_Sign_Assertion (optional) |
Yes or No |
Static |
Tells the SiteMinder WSS Agent to sign the assertion that is part of the SOAP document. This ensures that no one can alter the assertion. |
TXM_Public_Key (optional) |
|
Static |
Tells the SiteMinder WSS Agent where to get the public key that it binds to the session ticket. XMLDSIG—Tells SiteMinder WSS Agent to get the key from the document with the digital certificate. (Web service must be protected by the XML Digital Signature authentication scheme.) Client_Cert—Indicates the client certificate sent over the SSL connection User_Store—Tells SiteMinder WSS Agent to get the key from the user store. Note: Do not use this variable with TXM_Sign. |
TXM_User_Cert LDAP user directories only (optional) |
usercertificate This value is the most common for LDAP user directories. If you have used a custom naming scheme for your LDAP directory, the value will be different. |
User Attribute |
Specifies the LDAP query string that the SiteMinder WSS Agent uses to retrieve the public key from the user store. This variable is required when TXM_Public_Key is set to User_Store. |
Note: Do not use the SAML assertion, XML Body, XML Agent, and XML Envelope Header variables that you can choose from the Variables policy object in a policy domain. These variables are for use exclusively in policy expressions, not with the SAML Session Ticket response.
Enter these variables by typing the name and value in the appropriate fields in the Response Attribute dialog.
You can use assertion variables to help the SiteMinder WSS Agent build the assertion.
Example 1
If the web service is protected by the XML-DSIG authentication scheme, create an attribute that extracts the client’s public key from the certificate and adds it to the SAML assertion. To instruct the SiteMinder WSS Agent to get the public key from the digital certificate, enter the variable TXM_Public_Key with the value XMLDSIG.
The following table shows the properties of the primary response attribute:
Field |
Value |
---|---|
Attribute |
WebAgent-SAML-Session-Ticket-Variable |
Attribute Kind |
Static |
Variable Name |
TXM_Public_Key |
Variable Value |
XMLDSIG |
If the public key is coming from the user directory, two response attributes are required. The properties of the first required response attribute would be as follows:
Field |
Value |
---|---|
Attribute |
WebAgent-SAML-Session-Ticket-Variable |
Attribute Kind |
User Attribute |
Variable Name |
TXM_User_Cert |
Variable Value |
usercertificate |
The properties of the second required response attribute would be as follows:
Field |
Value |
---|---|
Attribute |
WebAgent-SAML-Session-Ticket-Variable |
Attribute Kind |
Static |
Variable Name |
TXM_Public_Key |
Variable Value |
User_Store |
Example 2
To ensure that the assertion is placed in the SOAP envelope message header, the properties of the required response attribute would be as follows:
Field |
Value |
---|---|
Attribute |
WebAgent-SAML-Session-Ticket-Variable |
Attribute Kind |
Static |
Variable Name |
TXM_SAML_Location |
Variable Value |
Envelope_Header |
Copyright © 2013 CA.
All rights reserved.
|
|