Integration Server 10.5 | Integration Server Administrator's Guide | Configuring Integration Server for Secure Communication | Identifying Trusted STSs to Integration Server
 
Identifying Trusted STSs to Integration Server
If you want to use policies based on WS-SecurityPolicy that include SAML tokens for client authentication or accept SAML2 assertions through the HTTP header, you must set up Integration Server so that it can process the SAML tokens. One of the requirements is to identify STSs you want Integration Server to trust.
*To identify a trusted STS to Integration Server
1. In Integration Server Administrator, go to Security > SAML.
2. Click Add SAML Token Issuer.
3. Provide information in the following fields:
Parameter
Specify
Issuer Name
Name of a SAML token issuer from which Integration Server should accept and process SAML assertions. This value must match the value of the Issuer field in the SAML assertion.
Integration Server will reject SAML assertions from issuers not configured on this screen and will log a message similar to the following to the Server log:
2010-06-09 23:35:38 EDT [ISS.0012.0025E] Rejecting SAML
assertion from issuer "SAMPLE_STS" because issuer is not
configured on the Security > SAML screen.
Truststore Alias
A text identifier for the truststore, which contains the public keys of the SAML token issuer. Integration Server populates the Truststore Alias list with the existing truststore aliases.
Certificate Alias
A text identifier for the certificate associated with the truststore alias. Integration Server populates the Certificate Alias list with the certificate aliases from the selected truststore alias.
Clock Skew
Clock difference, in milliseconds, between the machine that hosts Integration Server and the SAML token issuer. Specify a non-negative number.
For example, if the clock on the Integration Server machine and the issuer clock have 3 seconds time difference, you could specify a skew of 3001 milliseconds. To allow for some buffer, you could specify a slightly higher skew such as 3200 or even 4000.
After parsing the SAML Assertion, Integration Server converts the timestamps into milliseconds and performs all validations using the milliseconds. As a result, SAML validation performed by Integration Server supports the use of different time zones for an issuer and Integration Server.
When validating the NotBefore claim, Integration Server subtracts the clock skew from the NotBefore time found in the assertion (where the timestamp is now expressed in milliseconds). Then Integration Server compares the adjusted NotBefore time to the current time on the machine that hosts Integration Server to verify that the time on the Integration Server machine is lower than the adjusted NotBefore time.
When validating the NotAfter claim, Integration Server subtracts the clock skew from the current time (as expressed in milliseconds). Then Integration Server compares the adjusted current time to the NotAfter time found in the assertion to ensure that the NotAfter time is greater than or equal to the adjusted current time.
4. Click Save Changes.