SOA Governance and API Management : Administering Mediator : Mediator Configurations : Configuring SAML Support in Mediator : Configuring for SAML Bearer Token Processing : Configuring a Security Token Service (STS) for SAML Bearer Token Processing
Configuring a Security Token Service (STS) for SAML Bearer Token Processing
When determining which STS to use, consider the following:
*The STS must be able to provide a SAML 1.1 or 2.0 Holder-of-Key token to the client.
*STS issues a SAML assertion with the client's public key as the key information material in the token.
*There are two freely available STS implementations:
*Axis2
*JBoss PicketLink
To configure an Axis2 STS for Bearer token processing
1. Download Apache Axis2 1.5 and Rampart 1.5.
2. Run policy\sample05 per the instructions in Rampart (ant service.05).
3. Ensure the service is deployed and accessible on the following link: http://localhost:8080/axis2/services/STS?wsdl.
This Axis2 STS is now capable of issuing SAML 1.1 or 2.0 tokens.
4. Follow the instructions in policy\sample05 to get the sample working if there are any problems.
Example
Notice that the services.xml file contains the description and configuration for the Axis2 STS, as follows:
<service name="STS">
<module ref="rampart" />
<module ref="addressing" />
<module ref="rahas" />
<parameter name="saml-issuer-config"
<saml-issuer-config>
<issuerName>SAMPLE_STS</issuerName>
<issuerKeyAlias>sts</issuerKeyAlias>
<issuerKeyPassword>apache</issuerKeyPassword>
<cryptoProperties>
<crypto provider="org.apache.ws.security.
components.crypto.Merlin">
<property name="org.apache.ws.security.
crypto.merlin.keystore.type">
JKS
</property>
<property name="org.apache.ws.security.crypto.merlin.file">
sts.jks
</property>
<property name="org.apache.ws.security.crypto.merlin.
keystore.password">
apache
</property>
</crypto>
</cryptoProperties
<timeToLive>300000</timeToLive>
*rampart, for security handling.
*addressing, for WS-Addressing header processing.
*rahas, for WS-Trust request/response processing.
The saml-issuer-config parameter specifies the configuration information for the STS, such as:
*issuerName: The name of this STS; will be used in the IssuerName element in the SAML Assertion.
*timeToLive: Specifies the duration of validity for the SAML Token.
*issuerKeyAlias: Refers to the private key in the specified keystore to use to sign the assertion.
*issuerKeyPassword: The password to access the private key in the keystore.
In addition, the services.xml file specifies the security requirements to access the STS through a WS-Security Policy, as shown below. The policy specifies that the client must sign the request body using an X.509 Token. Also note that the RampartConfig element specifies the configuration for the keystore to use by the STS.
.
.
.
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws
/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:user>sts</ramp:user>
<ramp:encryptionUser>client</ramp:encryptionUser>
<ramp:passwordCallbackClass>
com.softwareag.mediator.sts.PWCBHandler
</ramp:passwordCallbackClass>
<ramp:crypto provider-"org.apache.ws.security.
components.crypto.Merlin">
<ramp:property:name="org.apache.ws.security.
crypto.merlin.keystore.type">
JKS
</ramp:property>
<ramp:property:name="org.apache.ws.security.
crypto.merlin.file">
sts.jks>sts.jks
</ramp.property>
<ramp:property: name="org.apache.ws.
security.crypto.merlin.keystore.password">
apache
</ramp:property>
.
.
.
Copyright © 2015- 2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback