Web services security SAML token custom properties

When you configure a web services security SAML token, you can configure name-value pairs of data, where the name is a property key and the value is a string value that you can use to set internal system configuration properties. You can use these configuration properties, along with the options provided in the administrative console, to control how the SAML token is generated or consumed.

To configure these SAML custom properties, in the administrative console, either:

  1. Expand Services.
  2. Select Service provider or Service client
  3. Click on the appropriate application in the Name column.
  4. Click on the appropriate binding in the Binding column.

    You must have previously attached a policy set and assigned a binding.

or

  1. Expand Applications > Application Types and click WebSphere enterprise applications.
  2. Select an application that contains Web services. The application must contain a service provider or a service client.
  3. Under the Web Services Properties heading, click Service provider policy sets and bindings or Service client policy sets and bindings.
  4. Select a binding. You must have previously attached a policy set and assigned an application-specific binding.

Then complete the following steps:

  1. Click WS-Security in the Policies table.
  2. Under the Main Message Security Policy Bindings heading, click Authentication and protection.
  3. Under the Authentication tokens heading, click the name of the authentication token.
    Supported configurations Supported configurations: You can use the token, which is processed by the generic security token login module, for authentication only. You cannot use the token as a protection token.sptcfg
  4. Under the Additional Bindings heading, click Callback handler.
  5. Under the Custom Properties heading, enter the name and value pairs.

The following sections list the custom properties and indicate how each custom property is used.

SAML token generator custom properties

The following table lists the callback handler custom properties that can only be used to configure SAML token generator bindings.

Table 1. SAML token callback handler custom properties for token generator bindings only. This table contains the custom property name, its values, and a short description.
Name Values Description
appliesTo This custom property does not have a default value. Use this custom property to specify the AppliesTo for the requested SAML token when a WSS API is used.
[8.5.0.2 or later] audienceRestriction Valid values are true and false. The default behavior is true, which includes AudienceRestrictionCondition in the SAML token. This property applies only to self-issued SAML tokens. Use this custom property to specify whether the AudienceRestrictionCondition element is included in the SAML token.
[8.5.0.2 or later] authenticationMethod This custom property does not have a default value. This property applies only to self-issued SAML tokens. Use this custom property to specify the value for the AuthenticationMethod attribute on the AuthenticationStatement element in the SAML token. When this custom property is specified, the Subject will be contained in an AuthenticationStatement instead of an AttributeStatement.
com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath This custom property does not have a default value. Use this custom property to specify the required configuration data when generating a self-issued SAML token.
cacheCushion The default value is 5 minutes. Use this custom property to specify the amount of time, in minutes, before the expiration time of a SAML token expires and a new token must be issued. For example, if the cacheCushion is set to 5 minutes and the SAML token will expire in 2 minutes, it will not be re-used; a new SAML token will be issued. When the runtime is in the process of caching a SAML token, a token that is beyond the cache cushion will not be cached.
cacheToken Valid values are true and false. The default behavior is true, which allows SAML token caching for reuse. Use this custom property to specify whether a SAML token can be cached for reuse.
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheEntries The default value is 250. Use this JVM custom property to specify the maximum number of cache entries that can be maintained.
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheTimeout The default value is 60 minutes. This property is used only for SAML tokens for which the expiration time is unknown (tokens that are encrypted or an expiration is not included with the token in the response from the STS). For SAML tokens for which the expiration time is unknown, the SamlTokenCacheTimeout is used to substitute for the expiration time. For a new SAML token that will enter the cache under this criteria, its expiration time will be (current_time)+SamlTokenCacheTimeout. The conditions described for the cacheCushion property will still apply, so keep the cacheCushion value in mind when altering the value for the SamlTokenCacheTimeout.
confirmationMethod Valid values include bearer, holder-of-key, and sender-vouches. This custom property does not have a default value. Use this custom property to specify a SAML token subject ConfirmationMethod.
com.ibm.wsspi.wssecurity.saml.get.SamlToken This custom property does not have a default value. Use this custom property to get the SAML token to RequestContext.
com.ibm.wsspi.wssecurity.saml.put.SamlToken This custom property does not have a default value. Use this custom property to set the SAML token to RequestContext.
failOverToTokenRequest Valid values are true or false. The default value is true, which means that the web services security runtime always issues a new SAML token if the input token is invalid. Use this custom property to specify whether the web services security runtime should use the attached policy set to issue a new SAML token if the input SAML token in the RequestContext is invalid.
recipientAlias This custom property does not have a default value. Use this custom property to specify a target service alias for a certificate.
signToken This custom property does not have a default value. Use this custom property to specify whether a SAML token should be signed with an application message.
sslConfigAlias If a value is not specified for this property, the default SSL alias defined in your system's SSL configuration is used.

This property is optional.

Use this custom property to specify the alias to an SSL configuration that a WS-Trust client uses to request a SAML token.
stsURI This custom property does not have a default value. Use this custom property to specify the SecurityTokenService (STS) address.
keySize This custom property does not have a default value. Use this custom property to specify the KeySize when requesting a SecretKey from STS.
tokenRequest Valid values include issue, propagation,issueByWSCredential, and issueByWSPrincipal. The default value is issue. Use this custom property to specify the SAMLToken request method. For more information about the values that can be specified for this property, see the topic Propagating SAML tokens
tokenType This custom property does not have a default value. Use this custom property to set the required token type to SAMLGenerateCallback
usekeyType This custom property is optional. The valid values are KeyValue, X509Certificate, and X509IssuerSerial. Use this custom property to specify the Usekey type, which tells the client to generate a specific type of key Information.
WSSConsumingContext This custom property does not have a default value. Use this custom property to specify the WSSConsumingContext object that the WS-Trust client uses to request a SAML token.
WSSGenerationContext This custom property does not have a default value. Use this custom property to specify the WSSGenerationContext object that the WS-Trust client uses to request a SAML token.

SAML token consumer custom properties

The following table lists the callback handler custom properties that can only be used to configure SAML token consumer bindings.

Table 2. SAML token callback handler custom properties for token consumer bindings only. This table contains the custom property name, its values, and a short description.
Name Values Description
[8.5.0.1 or later] allowUnencKeyInHok Valid values are true or false. The default value is true, which means that unencrypted keys are allowed. Use this property to direct the SAML token consumer to accept an unencrypted key in a SAML holder-of-key token.
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheEntries An integer. The default value is 1000. Use this custom property to specify how many signature cache entries can be maintained. for a SAML consumer token.
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheTimeout An integer. The default value is 60 minutes. Use this custom property to specify how many minutes a SAML token is to be cached. A signature validation does not need to be repeated while the SAML token is cached.
keyAlias This custom property does not have a default value. Use this custom property to specify the key alias for a SAML consumer token.
keyName This custom property does not have a default value. Use this custom property to specify the key name for a SAML consumer token.
keyPassword This custom property does not have a default value. Use this custom property to specify the key password for a SAML consumer token.
keyStorePassword This custom property does not have a default value. Use this custom property to specify the keystore password for a SAML consumer token
keyStorePath This custom property does not have a default value. Use this custom property to specify the keystore file path for a SAML consumer token.
keyStoreRef This custom property does not have a default value. Use this custom property to specify the keystore reference for a SAML consumer token.

Sample:

name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode
keyStoreType This custom property does not have a default value. Use this custom property to specify the keystore type for a SAML consumer token.
signatureRequired The default value is true. Use this custom property to specify whether a signature is required on a SAML assertion.
trustAnySigner The default value is false. Use this custom property to specify whether a recipient can trust any certificate that signs a SAML assertion.
trustedAlias This custom property does not have a default value. Use this custom property to specify the trusted STS certificate's alias for a SAML consumer token.
trustedIssuer_ The name is specified as trustedIssuer_n where n is an integer. This custom property does not have a default value. Use this custom property to specify the name of a trusted issuer.
trustedSubjectDN_ The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value. Use this custom property to specify the X509Certificate's SubjectDN name for the trusted issuer.
trustStorePassword This custom property does not have a default value. Use this custom property to specify the truststore password for a SAML consumer token.
trustStorePath This custom property does not have a default value. Use this custom property to specify the truststore file path for a SAML consumer token.
trustStoreRef This custom property does not have a default value. Use this custom property to specify the truststore reference for a SAML consumer token.

Sample:

name=myTrustStoreRef managementScope=(cell):myCell:(node):myNode
trustStoreType This custom property does not have a default value. Use this custom property to specify the truststore type name for a SAML consumer token
validateAudienceRestriction Valid values are true or false. The default value is false which means that an AudienceRestriction assertion validation is not required. Use this custom property specify whether an AudienceRestriction assertion must be validated.
validateOneTimeUse Valid values are true or false. The default value is true, which means that OneTimeUse assertion validation is required. Use this custom property to specify whether a OneTimeUse assertion in SAML 2.0, or a DoNotCacheCondition in SAML 1.1 must be validated.
CRLPATH This custom property does not have a default value. Use this custom property to specify the file path to the list of revoked certificates for a SAML consumer token.
X509PATH This custom property does not have a default value. Use this custom property to specify the intermediate X509 certificate file path for a SAML consumer token.
CRLPATH_ The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value. Use this custom property to specify the file path to the list of revoked X509 certificates for a SAML consumer token.
X509PATH_ The value specified must be in the format X509_path_n, where n is an integer. This custom property does not have a default value. Use this custom property to specify the file path for the intermediate X509 certificate for a SAML consumer token.

SAML token custom properties for both token generator and token consumer

The following table lists the callback handler custom properties that can be used to configure both SAML token generator and SAML token consumer bindings.

Table 3. SAML token callback handler custom properties for token generator and token consumer bindings. This table contains the custom property name, its values, and a short description.
Name Values Description
clockSkew The default value is [Updated in February 2014]3 minutes[Updated in February 2014]. Use this custom property to specify, in minutes, an adjustment to the times in the self-issued SAML token that the SAMLGenerateLoginModule creates.

The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes.

When a value is specified for this custom property, the following time adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule creates:
  • The new NotBefore time setting equals the initial NotBefore time setting, minus the amount of time specified for the clockSkew custom property.
  • The new NotAfter time setting equals the initial NotAfter time setting, plus the amount of time specified for the clockSkew custom property.
clientLabel This custom property does not have a default value. Use this custom property to specify, in bytes, the client label to use for the derived keys whenever a WSS API is used with the requested SAML token.
serviceLabel This custom property does not have a default value. Use this custom property to specify, in bytes, the service label to use for the derived keys whenever a WSS API is used with the requested SAML token.
keylength This custom property does not have a default value. Use this custom property to specify, in bytes, the derived key length to use for the derived keys whenever a WSS API is used with the requested SAML token.
nonceLength The default value is 128. Use this custom property to specify, in bytes, the derived nonce length to use for the derived keys whenever a WSS API is used with the requested SAML token.
requireDKT The default value is false. Use this custom property to specify an option for the derived keys whenever a WSS API is used with the requested SAML token.
useImpliedDKT The default value is false. Use this custom property to specify an option that is used with Implied derived keys whenever a WSS API is used with the requested SAML token.

Trust client custom properties

The following table lists the custom properties that can be used to configure trust client. When used in conjunction with a SAML token generator, these custom properties are added to the SAML token generator callback handler.

Table 4. Custom properties for the trust client.. This table contains the custom property name, its values, and a short description.
Name Values Description
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheEntries The default value is 1000. Use this custom property to specify the maximum number of STS service instance cache entries that can be maintained.
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheTimeout The default value is 60 minutes. Use this custom property to specify, in minutes, the length of time an STS service instance can be kept in a client side cache.
keyType The following keyTypes can be specified for WS-Trust 1.2:
  • http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
  • http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

The following keyTypes can be specified for WS-Trust 1.3:

  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
  • ttp://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
  • http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
Use this custom property to specify the keyType when making a WS-Trust request to STS.
wstrustClientBinding This custom property does not have a default value. Use this custom property to specify a binding name for the WS-trust client.
wstrustClientBindingScope This custom property does not have a default value. Use this custom property to specify the binding scope for the policy set that is attached to the WS-Trust client.
wstrustClientCollectionRequest Valid values are true or false. The default value is false which means that a RequestSecurityToken is used instead of a RequestSecurityTokenCollection. Use this custom property to specify whether a RequestSecurityTokenCollection is required in a WS-Trust request.
wstrustClientPolicy This custom property does not have a default value. Use this custom property to specify the policy set name for a WS-Trust client.
wstrustClientSoapVersion Valid values are 1.1 and 1.2. If no value is specified, the SOAP version defaults to SOAP version that the application client is using. Use this custom property to specify the SOAP version in a WS-Trust request.
wstrustClientWSTNamespace The default value is trust13. Valid values are trust12 and trust13. Use this custom property to specify the WS-Trust namespace for a WS-Trust request.
Reference topic    

Terms and conditions for information centers | Feedback

Last updated: April 17, 2014 04:48 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-base-iseries&topic=rwbs_saml_customproperties
File name: rwbs_saml_customproperties.html