Integration Server 10.3 | Web Services Developer’s Guide | Securing Web Services Using WS-SecurityPolicy | Securing Web Services Using Policies Based on WS-SecurityPolicy | Requirements for Using SAML for Authentication
 
Requirements for Using SAML for Authentication
 
Identifying Trusted STSs to Integration Server
If you want to use policies based on WS-SecurityPolicy that include SAML tokens for authentication, you must set up Integration Server so that it can process the SAML tokens. Integration Server supports SAML tokens only in policies attached to provider web service descriptors for inbound requests
For a provider inbound request message Integration Server must be able to validate the SAML token using its Java Authorization and Authentication Service (JAAS) login modules.
The following table lists the requirements you must meet so that Integration Server can process SAML tokens in policies based on WS-SecurityPolicy.
Requirement
Description
Security Token Service (STS) provider
You must determine which STSs you want Integration Server to trust. Clients can use any STS provider that generates SAML 1.0 or 2.0 tokens. The generated SAML token must:
*Contain the client certificate if Integration Server is to process Holder-of-Key (HOK) type SAML assertions. Integration Server uses the client certificate to identify the client and map the client to an Integration Server user.
*Be signed by the STS.
Certificates for each possible issuer of SAML assertions
You must create a truststore that contains the public keys of each STS. For more information about creating a truststore, see Creating a Keystore.
Identification of trusted issuers
You must identify trusted STSs to Integration Server. For instructions, see Identifying Trusted STSs to Integration Server .
Client certificates
If Integration Server is to process Holder-of-Key (HOK) type SAML assertions, which contain the public key of the client, you must map the client’s public key to an Integration Server user. For more information about configuring client certificates, see Client Certificates.