Certificate Mapping User and Usage Resolution Order for WS-Security
Integration Server supports the mapping of a client certificate with a user ID (
User) and the certificate’s
Usage (for more information, see
Importing a Client Certificate and
Mapping It to a User.). At run time, a web service provider can use the information in a certificate mapping.
When determining the user to use for WS-Security, Integration Server uses the following resolution order for the User setting when searching through Integration Server certificate mappings:
1. User associated with a SAML assertion.
Note:
You can only use SAML tokens when using WS-SecurityPolicy. The Integration Server WS-Security facility does not support SAML tokens.
2. User associated with the certificate that is used for authentication (X.509 token or signature token).
3. User specified in a WS-Security UsernameToken (not in a certificate)
4. User authenticated at the transport level (SSL or HTTP)
The following table lists the order for matching a requested Usage by a policy assertion against the Usage value in a certificate mapping.
If this Usage is requested... | A mapping with the first of these Usage values is returned... |
Verify | Verify, VerifyAndEncrypt, SSL |
Encrypt | Encrypt, VerifyAndEncrypt, SSL |
VerifyAndEncrypt | VerifyAndEncrypt, SSL |
MessageAuth | MessageAuth, SSL |
SSLAuth | SSL |