+

Search Tips   |   Advanced Search

Enable a web services client to request SAML assertions from an external Security Token Service (STS)

When communicating with an external security token service (STS), WebSphere Application Server with SAML supports web services clients using the Web Services Security policy set and bindings.

A web services client uses two sets of policy set attachments:

Policy sets and bindings used when communicating with the target web services provider are attached to the web services client. In contrast, policy sets and bindings that enable STS communication are not directly attached to the web services clients. Instead, policy sets and bindings that enable STS communication are specified as custom properties in the web services client binding document. Use general bindings or application-specific bindings to communicate with an STS.

Using a general binding to access an STS is straightforward; simply specify the general binding name in the custom properties. The procedure to configure application-specific bindings to access an STS is more involved. The console is designed to manage policy set attachments to communicate with a web service provider. The console is not designed to manage a second set of policy set attachments to communicate to an STS. However, we can use the console to manage a policy set attachment to access an STS, as described in the procedure.

Use the console to attach the policy set used to access an STS to a web services client, and then create and modify an application-specific binding. Once the binding configuration is complete, detach the policy set and binding from the web services client. This procedure is necessary because the next step is to attach the policy set and bindings to communicate to the target web services provider. Detached application-specific bindings are not deleted from the file system, so the web services client bindings custom properties can successfully refer to the detached application-specific bindings.

The procedure uses a default application policy set, Username WSHTTPS default, as an example to describe the configuration steps to access the STS. The steps can also be applied to other policy sets. The web services application, JaxWSServicesSamples, is used in the example. JaxWSServicesSamples is not installed by default.


Procedure

  1. Import the Username WSHTTPS default policy set.

    In this example, the Username WSHTTPS default policy is used to demonstrate the procedure, but we can use a different policy set to configure the bindings, if the policy set meets the policy requirements of the external STS.

  2. Attach a policy set for the trust client. Click...

      The steps which pertain to attaching and detaching the policy set, and configuring the trust client binding, are required only if an application-specific binding is used to access the external STS. We can skip these steps, and go to the step that discusses configuring communication with the STS, if you use a general binding to access the external STS.

      1. Select the check box for the web services client resource.

      2. Click Attach Client Policy Set.

      3. Select the policy set, Username WSHTTPS default.
      This step attaches the policy set to the web services trust client, as you would do to use this policy set for the application client to access the target web services. However, since you plan to use the Username WSHTTPS default policy set to access an external STS instead, the policy set is only temporarily attached to the Web services client. The purpose of this step is to allow you to use the console to create or to modify the client binding document.

    • Configure the trust client binding.

      1. Select the web services client resource again.

      2. In the Service client policy sets and bindings panel, click Assign Binding.

      3. To create an application-specific binding, click New Application Specific Binding

      4. Specify a binding configuration name for the new application-specific binding. In this example, the binding name is SamlTCSample.

      5. Add the SSL transport policy type to the binding. Optionally, we can modify the NodeDefaultSSLSettings settings. Click...

    • Optional: We can create an HTTP transport binding using the previous steps to configure a user name and password to add to the HTTP header, or to configure a proxy. If we elect not to create an HTTP transport binding, the web services runtime environment uses the default HTTP transport settings.

    • Add the WS-Security policy type to the binding, then modify the authentication settings.

      1. Click...

          Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings > SamlTCSample > Add > WS-Security > Authentication and protection > request:uname_token > Apply.

      2. Select Callback handler.

      3. Specify a user name and password (and confirm the password) to authenticate the web services client to the external STS.

      4. Click OK and Save.

    • After the binding settings are saved, return to the Service client policy sets and bindings panel to detach the policy set and bindings.

        Applications > Application types > WebSphere enterprise applications > JaxWSServicesSamples > Service client policy sets and bindings > check box for the web services client resource > Detach client policy set
      The application-specific binding configuration created in the previous steps is not deleted from the file system when the policy set is detached. This means that we can still use the application-specific binding created to access the STS.

    • Import the SSL certificate from the external STS.

      1. Click:

      2. host and port of the external STS server, and assign an alias to the certificate. Use the SSL STS port.

      3. Click Retrieve signer information.

      4. Click Apply and Save to copy the retrieved certificate to the NodeDefaultTrustStore object.

    • Optional: If further modifications to the wstrustClientBinding configuration are needed, and the wstrustClientBinding property is pointing to an application-specific binding, we must attach the application-specific binding to the web services client before we can complete the modifications. The attachment is temporary. As detailed in the previous steps, we can detach the modified application-specific binding from the web service client after the modification is completed.


Results

After successfully completing the steps, the web services client is ready to send requests to the external STS. To enable this function, the following conditions and settings were activated when you completed the procedure:


What to do next

Complete the web service client and web service provider configuration. for the SAML bearer token for more information.


Related tasks

Configure client and provider bindings for the SAML bearer token
  • Configure client and provider bindings for the SAML holder-of-key symmetric key token