CentraSite 10.3 | CentraSite User’s Guide | Runtime Governance | Run-Time Policy Management | Built-In Run-Time Actions Reference (CentraSite Business UI) | Built-in Actions for Run-Time Policies (CentraSite Business UI) | Require WSS SAML Token
 
Require WSS SAML Token
This action is applicable only for SOAP APIs and uses a WSS Security Assertion Markup Language (SAML) assertion token to validate API clients. The following subject confirmation methods are supported:
When this action is configured for a proxy API, Mediator uses a WSS Security Assertion Markup Language (SAML) assertion token to validate clients for an API. The following subject confirmation methods are supported:
*Bearer: You can select the Bearer method when the client wants a security token to be issued that does not require a proof of possession.
*Holder of Key (Symmetric): You can select the Holder of Key (Symmetric) method when either the client or the server needs to generate security tokens such as X509Tokens. A symmetric key is established using that security token and further signing and encryption is done using this token.
*Holder of Key (Asymmetric): You can select the Holder of Key (Asymmetric) method when both the client and the server have security token such as X509 certificates. In this method, the client uses its private key to sign and the recipient’s (Mediator) public key to encrypt.
Note:
For information about configuring your system for SAML token processing, see Administering webMethods Mediator.
Important:
To configure a SAML attribute that can be used to identify the user, open the is_jaas.cnf file available in the <IntegrationServerInstall_Directory>\instances\default\config folder and modify the configuration under WSS_Message_IS. For example,
{
/*
* Please do not rearrange the following SoftwareAG
* login modules; add your login modules before or after
* these three modules
*/
com.wm.app.b2b.server.auth.jaas.SamlAssertLoginModule requisite
samlAttributeName="http://integration.fiserv.com/
identity/claims/v1/FirstName";
com.wm.app.b2b.server.auth.jaas.X509LoginModule requisite;
com.wm.app.b2b.server.auth.jaas.BasicLoginModule requisite;
};
Any value can be configured for the samlAttributeName parameter.
Input Parameters
SAML Version
(String). Specifies the WSS SAML Token version to use: 1.1 or 2.0.
SAML Subject Confirmation
(String). Specifies the SAML subject confirmation methods:
Value
Description
Bearer
Select this option if the clients want a security token to be issued that does not require a proof of possession.
Note:
If the clients use SAML 2.0 Sender-Vouches tokens, configure your system as described in Administering WebMethods Mediator.
Holder of Key (Asymmetric)
Select this option if the clients and server use the SAML V1.1 or V2.0 Holder-of-Key method that allows for transport of holder-of-key assertions. In this scenario, the client uses its private key to sign and the recipient’s (Mediator) public key to encrypt.
Holder of Key (Symmetric)
(Default). Select this option if clients use the SAML V1.1 or V2.0 Holder-of-Key method that allows for transport of holder-of-key assertions. In this scenario, the client presents a holder-of-key SAML assertion acquired from its preferred identity provider to access a web-based resource at an API provider.
WS- Trust Version
(String). Specifies the WSS SAML Token version to use: 1.1 or 2.0.
Algorithm Suite
Select any algorithm suite that is defined by the WS-SecurityPolicy specification. For example, Basic128, BAsic256, TripleDes, and so on.
Encrypt Signature
To encrypt the signature. Select either of the following:
*Yes: To encrypt the signature.
*No: Not to encrypt the signature.
Layout
Specifies a requirement for a particular security header layout.
Holder of Key Asymmetric Parameter
The public key is shared with Mediator and the private key is secure.
Value
Description
Initiator Token Inclusion
Identifies the inclusion value for the client's security token assertion.
Recipient Token Inclusion
Identifies the inclusion value for the recipient's security token assertion.
Holder of Key Symmetric Parameter
Encrypts the signature, soap header, and body.
Value
Description
Initiator Token Inclusion
Identifies the inclusion value for the client's security token assertion.
Recipient Token Inclusion
Identifies the inclusion value for the recipient's security token assertion.
Issuer Address
Specifies the SAML issuer address. For example, <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
Metadata Reference Address
The address from where the metadata reference document can be obtained.
Key Size
The number of bits in a key used by a cryptographic algorithm. For example, 256 bits.
Request Security Token Template Parameters
Defines extensions to the <wst:RequestSecurityToken> element for requesting specific types of keys, algorithms, or key and algorithms, as specified by a given policy in the return token(s). In some cases, the service may support a variety of key types, sizes, and algorithms. These parameters allow a requestor to indicate its desired values. The issuer's policy indicates if input values must be adhered to and faults generated for invalid inputs, or if the issuer must provide alterative values in the response.
Value
Description
Key
Key type of the security token template.
Value
String. A value for the request token.