API Gateway 10.11 | Administering API Gateway | Security Configuration | SAML Issuer
 
SAML Issuer
If a native API is enforced with the SAML policy, API Gateway uses this configuration to communicate to STS (Security Token Service) to retrieve the SAML token.
*To add a SAML issuer
1. Expand the menu options icon , in the title bar, and select Administration.
2. Select Security > SAML issuer.
The SAML issuer page lists all the issuers configured along with the Endpoint URI corresponding to each SAML issuer, if any.
3. Click Add SAML issuer.
4. In the Add SAML issuer section, provide the following information:
Field
Description
Name
Name of a SAML token issuer used by API Gateway.
This value must match the value of the Issuer field in the SAML assertion.
Normal client
Selecting this sets the client that requests the SAML token.
Act as delegation
Selecting this delegates the SAML request to another user (delegator).
The delegator uses a signature element to authenticate the SAML request.
Issuer policy
Specifies the name of an issuer policy to be used to communicate with SAML issuer.
*If a value is specified for the Issuer policy field, then the selected issuer policy is applied to all APIs that are using the SAML authentication.
*If a value is NOT specified for this field, then a default issuer policy based on the WSS Username or Kerberos communication mode is applied to all APIs.
Communicate using. Specifies the mode of communication.
WSS Username
Specifies that WSS Username mode is used to obtain the SAML assertion to access the API.
The WSS username token supplied in the header of the SOAP request that the consumer application submits to the API.
Kerberos
Specifies that Kerberos mode is used to obtain the SAML token and assertion to access the API.
Transports the Kerberos token over the Transport Layer Security (TLS) protocol to provide additional security features.
Authenticate using. Specify the type of authentication you want to use while communicating with the SAML issuer.
For the Authentication type WSS Username, authenticate using the following:
Custom credentials
Specifies the values provided in the policy required to communicate the SAML issuer.
Provide the following information:
*Username. Specify a username.
*Password. Specify a password.
For the Authentication type Kerberos, authenticate using any of the following:
Custom credentials
Specifies the values provided in the policy required to communicate the SAML issuer.
Provide the following information:
*Client principal. A valid client LDAP user name.
*Client password. A valid password of the client LDAP user.
*Service principal. A valid Service Principal Name (SPN). The specified value is used by the client to obtain a service ticket from the KDC server.
*Service principal nameform. Specifies the format in which you want to specify the principal name of the service that is registered with the principal database. Select one of the following:
*Username. Represents the principal name as a named user defined in LDAP used for authentication to the KDC.
*Hostbased. Represents the principal name using the service name and the host name, where host name is the host computer.
Delegate incoming credentials
Specifies the values provided in the policy required by the API providers to select whether to delegate the incoming Kerberos token or act as a normal client.
Provide the following information:
*Client principal. A valid client LDAP user name.
*Client password. A valid password of the client LDAP user.
*Service principal. A valid Service Principal Name (SPN). The specified value is used by the client to obtain a service ticket from the KDC server.
*Service principal nameform. Specifies the format in which you want to specify the principal name of the service that is registered with the principal database. Select one of the following:
*Username. Represents the principal name as a named user defined in LDAP used for authentication to the KDC.
*Hostbased. Represents the principal name using the service name and the host name, where host name is the host computer.
Incoming HTTP basic auth credentials
Specifies the incoming HTTP basic authentication credentials in the transport header of the incoming request for client principal and client password.
Provide the following information:
*Service principal. A valid Service Principal Name (SPN). The specified value is used by the client to obtain a service ticket from the KDC server.
*Service principal nameform. Specifies the format in which you want to specify the principal name of the service that is registered with the principal database. Available values are:
*Username. Represents the principal name as a named user defined in LDAP used for authentication to the KDC.
*Hostbased. Represents the principal name using the service name and the host name, where host name is the host computer.
Endpoint URI
Provide the endpoint URI of the STS.
SAML version
Specify the SAML version to be used for authentication.
Available values are: SAML 1.1, SAML 2.0
WS-Trust version
Specify the WS-Trust version that API Gateway must use to send the RST to the SAML issuer.
Available values are: WS-Trust 1.0, WS-Trust 1.3
Applies to
Specify the scope for which this security token is required.
For example, the APIs to which this token is applied.
Signing configurations
Keystore alias
Specify the keystore to be used by API Gateway while sending the request to the STS.
A keystore is a repository of private keys and corresponding public certificates.
Key alias (signing)
Specify the key alias, a private key used to sign the request sent to STS.
Encryption configurations
Truststore alias
Select the truststore that should be used by API Gateway while sending the STS request.
Truststore is a repository that holds all the trusted public certificates.
Certificate alias (Encryption)
Select the certificate from the truststore used to encrypt the request that is sent to the STS.
Request security token template parameters. Defines extensions to the <wst:RequestSecurityToken> element for requesting specific types of keys, algorithms, or key and algorithms, as specified by a given policy in the return token(s).
Key
Specifies the key type of the security token template.
Value
Specifies a value for the request token.
You can add multiple key and values by clicking .
5. Click Add.
This adds the SAML issuer and it is listed in the SAML issuers list.