CloudStreams 10.5 | webMethods CloudStreams | Administering webMethods CloudStreams | Policies | The Policy Actions | The Policy Action Reference | Require SAML Token
 
Require SAML Token
Requires that a WSS Security Assertion Markup Language (SAML) assertion token be present in the SOAP message header to validate service consumers. CloudStreams supports SAML 1.1 and 2.0 tokens. This action supports WS-SecurityPolicy 1.2 and cannot be used with REST services or connector virtual services.
Note:
When a Require SAML Token action is generated, CloudStreams also implicitly selects the timestamp and signing assertions. You should not add the Include Timestamps and Require Signing policy actions to a virtual service if the Require SAML Token action is already applied.
Input Parameters
SAML Version
String. Specifies the version of the WSS SAML Token to use (1.1 or 2.0).
Run-Time Behavior
When a service consumer sends a request that includes a SAML token to a virtual service, CloudStreams validates the SAML token to ensure it is valid. If the token is valid, Integration Server uses its included JAAS login modules to process the SAML assertion and map the client public key in the assertion to a valid Integration Server user.
If the service consumer invokes the virtual service without a SAML assertion in the request, then CloudStreams sends the following SOAP fault to the service consumer to indicate that the request does not match the security policy being enforced: SAML Token missing in request.
Prerequisites
In order to use a SAML token, CloudStreams requires that you:
*Determine which Security Token Services (STS) to trust. The STS generates the SAML tokens that clients will submit. The client can use any STS provider that generates SAML 1.1 or 2.0 tokens. The generated SAML token must:
*Contain the certificate of the user/client (service consumer) in the assertion if Integration Server is to use Holder-of-Key (HOK) type SAML assertions.
*Be signed by the STS.
*Identify the trusted STS to Integration Server. For more information, see Setting the STS Options.
*Provide a truststore alias that points to a truststore containing the issuer's certificate. For information about providing a truststore alias, see the section Securing Communications with the Server in the document webMethods Integration Server Administrator’s Guide.
*If Integration Server is to process Holder-of-Key (HOK) type SAML assertions, which contain the client's public key, you must map the client's public key to an Integration Server user. For more information about configuring and mapping client certificates, see the section Authenticating Clients in the document webMethods Integration Server Administrator’s Guide.