WAS v8.5 > Deploy applications > Deploy web services - Security (WS-Security) > Deploy applications that use SAML

Establish security context for web services clients using SAML security tokens

WebSphere Application Server supports two policy set caller binding configuration options to establish client security context using SAML security tokens in web services SOAP request messages. The two configuration options are mapping SAML tokens to a user entry in a local user repository and, asserting SAML tokens based on a trust relationship.

This task assumes that you are familiar with WAS SAML technology.

This task describes setting the WAS policy set caller binding configuration option to establish client security context using SAML security tokens in web services SOAP request messages. We can either map SAML tokens to a user entry in a local user repository or assert SAML tokens based on a trust relationship. The second configuration option does not require accessing the local user repository. Instead, the WS-Security runtime environment populates the client security context entirely using the contents of SAML security tokens. This process is based on a trust relationship to the SAML token issuer. If a SAML tokens specifies the sender-vouches subject confirmation method. the process is based on a trust relationship to the message sender.

  1. Configure a policy set caller binding and select the SAML token type to represent a web services client request.

    1. Click WebSphere enterprise applications > application_name > Service provider policy sets and bindings > binding_name > WS-Security > Callers.

    2. Click New to create the caller configuration.

    3. Specify a Name, such as caller.

    4. Enter a value for the Caller identity local part. For example, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0, which must match the local part of the CustomToken element in the attached WS-Security policy.

    5. Click Apply and Save.

  2. Optional: Map SAML security tokens to a user entry in a local user repository. Mapping to a user entry is the default behavior when we configure a caller binding without specifying a configuration option. Alternatively and optionally, we can select this configuration option explicitly using the following steps:

    1. On the caller binding configuration page, add a Callback handler: com.ibm.websphere.wssecurity.callbackhandler.SAMLIdAssertionCallbackHandler.

    2. Add a Callback handler custom property, crossDomainIdAssertion, and set its value to false.

  3. Optional: Assert SAML security tokens based on trust relationship.

    1. On the caller binding configuration page, add a Callback handler: com.ibm.websphere.wssecurity.callbackhandler.SAMLIdAssertionCallbackHandler.

    2. Add a Callback handler custom property, crossDomainIdAssertion, and set its value to true.

    In WAS v7.0 Fix Pack 7 and later releases, the WS-Security runtime environment takes a SAML token Issuer name to represent the foreign security realm name. WS-Security takes the NameID element in the case of SAML 2.0 security tokens or the NameIdentifier element in the case of SAML 1.1 security tokens to represent user security name. Alternatively, we can explicitly specify which SAML token attribute to use to represent user security name. Moreover, we can also specify which SAML token attribute to use to represent user group membership. Read about SAML assertions across WAS security domains for a detailed discussion of the SAML token assertion trust model and binding configuration.

    v8.x supports propagating select security context data in SAML tokens. Set a tokenRequest custom property with an issueByWSCredential property value in the WS-Security binding configuration of the web services client. Read about propagating SAML tokens for a detailed description of this binding option. When the crossDomainIdAssertion property is set to true in v8.x, WS-Security checks whether a SAML token contains a SAML Attribute UniqueSecurityName with a NameFormat element with a value of com.ibm.websphere.security.cred.WSCredential. If found, WS-Security uses the NameQualifier attribute value of the NameID element or NameIdentifier element to represent the user security realm name. WS-Security also uses the UniqueSecurityName attribute value and the GroupIds attribute value to represent a unique user name and group membership. This default behavior is different between v7 and v8.x of the product. We can add a CallbackHandler property, IssuerNameForRealm, and set its value to true to configure v8.x to preserve the v7 behavior. Alternatively, we can add a CallbackHandler property, NameQualifierForRealm, and set its value to true to configure v8.x to always use the NameQualifier attribute to represent the user security realm name.


Results

You have configured a web service to establish a client security context using the SAML security token in the web services SOAP request messages.


Example

The following example illustrates the NameIdentifier and Attribute elements from a self-issued SAML 1.1 assertion based on WSCredential:

The following example illustrates the NameID and Attribute elements from a self-issued SAML 2.0 assertion based on WSCredential: 

<saml2:AttributeStatement>     <saml2:Attribute Name="UniqueSecurityName" NameFormat="com.ibm.websphere.security.cred.WSCredential" />     <saml2:AttributeValue>uid=alice,dc=example,dc=com</saml2:AttributeValue>     <saml2:Attribute>         <saml2:Attribute AttributeName="GroupIds" NameFormat="com.ibm.websphere.security.cred.WSCredential" />         <saml2:AttributeValue>cn=development,dc=example,dc=com</saml2:AttributeValue>         <saml2:AttributeValue>cn=deployment,dc=example,dc=com</saml2:AttributeValue>         <saml2:AttributeValue>cn=test,dc=example,dc=com</saml2:AttributeValue>     </saml2:Attribute> <saml2:AttributeStatement> 
<saml2:NameID NameQualifier="ldap.example.com:9060">alice</saml2:NameID>


Related concepts:

SAML concepts
SAML usage scenarios


Related


Propagating SAML tokens


Related information:

SAML assertions across WAS security domains


+

Search Tips   |   Advanced Search