SOA Governance and API Management : Administering Mediator : Mediator Configurations : Configuring SAML Support in Mediator : Configuring for SAML Holder-of-Key Processing : The Run-Time Processing of Holder-of-Key Tokens
The Run-Time Processing of Holder-of-Key Tokens
At run time, Mediator processes a request containing a Holder-of-Key token as follows:
1. The client sends a request for a SAML Token from a Security Token Service (STS).
2. The STS verifies/authenticates the client and creates a SAML assertion with key information that the client can use to sign the message when sending to the service provider.
3. The STS also signs the assertion with its private key to provide message integrity and non-repudiation.
4. The client receives the SAML assertion from the STS and creates a new SOAP request.
5. The client then adds the token in the SOAP WS-Security header and then signs the message with the same key information present in the SAML token to prove Proof-of-Possession of the token (thus acting as the Holder-of-Key).
6. The service receives the SOAP request with the SAML assertion and verifies that the SAML assertion was issued by a trusted STS.
7. The service also verifies that the message was signed by the same Subject specified in the SAML assertion, thus verifying that the client is the Holder-of-Key.
8. Once these conditions are satisfied, the service allows the request to proceed.
Copyright © 2015- 2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback