SOA Governance and API Management : Administering Mediator : Mediator Configurations : Configuring SAML Support in Mediator : Configuring for SAML Holder-of-Key Processing : Configuring Integration Server, Mediator, and Virtual Services for Holder-of-Key
Configuring Integration Server, Mediator, and Virtual Services for Holder-of-Key
To configure Integration Server, Mediator, and virtual services for Holder-of-Key
1. Ensure that you have created a keystore, as described in Configuring Integration Server Keystores.
2. Map the client certificate to a valid Integration Server user, as described in the Certificate Mapping section in the document webMethods Integration Server Administrator’s Guide.
Note:  
The value of the Usage field is irrelevant; the mapping of the client certificate only verifies that the request is signed by a valid Integration Server user.
3. Specify the Integration Server keystore in Mediator, as described in Configuring Keystore.
4. Create a truststore in Integration Server that holds the STS public key, as described in the Keystores and Truststores section in the document webMethods Integration Server Administrator’s Guide.
Note:  
Do not create a keystore for the STS. Only create a truststore.
5. Configure the list of trusted SAML token issuers in Integration Server as follows:
a. Open the Integration Server Administrator if it is not already open.
b. In the Navigation panel, select Security > SAML.
c. Click Add SAML Token Issuer.
d. Set the parameters as follows.
In this field...
Specify...
Issuer Name
The name of a SAML token issuer from which Integration Server must accept and process SAML assertions.
This value must match the IssuerName value in the SAML token. If the SAML assertion issuer name does not match any configured issuers, the token will be rejected and a message similar to the following will be logged to the Server log:
2010-06-09 23:35:38 EDT
[ISS.0012].0025E
Truststore Alias
Text identifier for the truststore, which contains the public keys of the SAML token issuer.
Certificate Alias
Text identifier for the certificate associated with the truststore alias. This certificate alias must match the certificate used by the STS to sign the SAML assertion.
Clock Skew
The clock time difference (in milliseconds) between your Integration Server and the SAML token issuer.
e. Click Save Changes.
These parameter values are stored in the file Integration Server_directory\instances\instance_name\config\security\saml\trusted_saml_issuers.cnf.
6. In CentraSite, include the "Require WSS SAML Token" action in the policies of your virtual services. Configure the action as described in the section Run-Time Governance Reference in the CentraSite documentation.
7. Client requests must meet the following requirements:
*The request must contain a valid SAML Holder-of-Key token.
*The request's SOAP body must be signed by the client using the private key corresponding to the public key present in the SAML assertion.
Copyright © 2015- 2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback