Configuring Integration Server, Mediator, and Virtual Services for Holder-of-Key

Administering Mediator : Mediator Configurations : Configuring SAML Support in Mediator : Configuring SAML Holder-of-Key Processing : Configuring Integration Server, Mediator, and Virtual Services for Holder-of-Key

To configure Integration Server, Mediator, and virtual services for Holder-of-Key

1. Create a keystore, as described in Configuring Integration Server Keystores.

2. Map the client certificate to a valid Integration Server user, as described in the Certificate Mapping section in the webMethods Integration Server Administrator’s Guide.

3. Specify the Integration Server keystore in Mediator, as described in Configuring Keystore.

4. Create a truststore in Integration Server that holds the STS public key, as described in the Keystores and Truststores section in the webMethods Integration Server Administrator’s Guide.

Note:

Do not create a keystore for the STS. Only create a truststore.

5. Configure the list of trusted SAML token issuers in Integration Server as follows:

a. Open the Integration Server Administrator if it is not already open.

b. In the Navigation panel, select Security > SAML.

c. Click Add SAML Token Issuer.

d. Set the parameters as follows:

In this field...	Specify...
Issuer Name	The name of a SAML token issuer from which Integration Server must accept and process SAML assertions. This value must match the IssuerName value in the SAML token. If the SAML assertion issuer name does not match any configured issuers, the token is rejected and a message similar to the following is logged to the Server log: 2010-06-09 23:35:38 EDT [ISS.0012].0025E
Truststore Alias	Text identifier for the truststore, which contains the public keys of the SAML token issuer.
Certificate Alias	Text identifier for the certificate associated with the truststore alias. This certificate alias must match the certificate used by the STS to sign the SAML assertion.
Clock Skew	The clock time difference (in milliseconds) between your Integration Server and the SAML token issuer.

e. Click Save Changes.

These parameter values are stored in the file Integration Server_directory\instances\instance_name\config\security\saml\trusted_saml_issuers.cnf.

6. In CentraSite, include the Require WSS SAML Token action in the policies of your virtual services.

7. Ensure that the client requests meet the following requirements:

The request must contain a valid SAML Holder-of-Key token.

The request's SOAP body must be signed by the client using the private key corresponding to the public key present in the SAML assertion.

Contact Support | Community | Feedback