You can use various SAML token propagation methods to include SAML tokens in outbound web services messages.
Four propagation methods are enabled. This table summarizes the propagation methods and the associated binding options:
SAML token propagation method | Binding option | Implementation details |
---|---|---|
Propagate the original SAML token. | The tokenRequest binding option is set to the value, propagation. | Sends the original SAML token from the server where the token was received to other servers using WS-Security. |
Propagate the user security name, unique security name, group IDs, and security realm name. | The tokenRequest binding option is set to the value, issueByWSCredential. | Overrides the default system implementation. The self-issued SAML token contains user security name, user unique security name, group IDs, and security realm name that are specified by the WSCredential object in user security context. |
Propagate the SAML token identity and attributes. | No binding option is set. | Default system implementation. The server self-generates a new SAML token containing the original SAML attributes, Authentication method, and NameIdentifier or SAML NameID, and sends the new self-generated SAML token to downstream servers using WS-Security. The new SAML token issuer name, issuer signing certificate, and lifetime are determined by the SAML provider configuration properties. |
Propagate the WSPrincipal. | The tokenRequest binding option is set to the
value, issueByWSPrincipal. Note: Beginning
in version 8, specifying either issueByWSPrincipal or issueByWSCredential value
has the same result. If you are not already using the issueByWSPrincipal value,
it is recommended that you use the issueByWSCredential value.
If you are already using the issueByWSPrincipal value,
it is recommended that you eventually replace that value with the issueByWSCredential value.
|
Overrides the default system implementation. The self-issued SAML token contains WSPrincipal information in the RunAs subject. The information is stored as NameIdentity or NameID without copying anything from the original SAML token, even if the token exists in the subject. |
Programmatically propagate a pre-existing SAML token. | Insert the SAML token that you want to propagate into the RequestContext using the property, com.ibm.wsspi.wssecurity.core.token.config.WSSConstants.SAMLTOKEN_IN_MESSAGECONTEXT. | Overrides all other existing binding options. |