Secure SAML tokens at the message level by enabling assertion
signing.
Before you begin
Before configuring signing for SAML tokens, you must configure
SAML policy sets and bindings to create SAML tokens as authentication
supporting tokens, with message level integrity protection. For more
information, read about securing messages using SAML. In addition,
the attached SAML bindings must be application-specific bindings,
not general bindings. The transform algorithm used for signing SAML
assertions is different from other signed parts, while only one transform
algorithm is used with general bindings.
About this task
To sign SAML assertions, a SOAP message must include a <wsse:SecurityTokenReference>
element in the <wsse:Security> header block. The SecurityTokenReference
(STR) is referenced by the message signature using a <ds:Reference>
element. The security token reference must include a <wsse:KeyIdentifier>
element with the ValueType value, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID,
or http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID,
specifying the referenced assertion identifier. The <ds:Reference>
element must include the URI of the STR-transform algorithm, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsssoap-message-security-1.0#STR-Transform.
Use of STR-transform ensures that the SAML assertion itself is signed,
not only the <wsse:SecurityTokenReference> element.
Follow these
configuration steps to enable signing SAML tokens at the message level.
Procedure
- Configure the message parts.
- From the administrative console, edit the SAML policy
set, then click .
- Select Integrity protection.
- Click Add.
- Enter a part name for Name of part to be
signed; for example, saml_part.
- Under Elements in Part, click Add.
- Select XPath.
- Add two XPath expressions.
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope'
and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
and local-name()='SecurityTokenReference']
- Click Apply and Save.
- Restart the application.
- Configure protection and signing for the client.
- From the Service client policy set and bindings panel,
click .
- Under Request message signature and encryption
protection, select a configured resource. The signature
of the resource you select includes the SAML token.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click Apply.
- Under Authentication tokens, select and edit the SAML
token you want to sign.
- Under Custom property, click New.
- Enter signToken as the custom property
name.
Note: The custom property is added at the token generator level,
although it only applies to the SAML custom token. The property does
not apply to other token types.
- Enter true as the value of the custom property.
- Click Apply.
- Configure protection and signing for the service provider.
- From the Service provider policy sets and bindings panel,
click .
- Under Request message signature and encryption
protection, select a configured resource. The signature
of the resources you select includes the SAML token.
- From the Available list under Message part
reference, select the name of the part to be signed, as created in
step 1; for example, saml_part.
- Click Add.
- In the Assigned list under Message part
reference, highlight the name of the part you added; for example, saml_part.
- Click Edit.
- For the Transform algorithms setting, click New.
- Select http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform.
- Click Apply.