Web services security SAML token custom properties

Web services security SAML token custom properties

When we configure a web services security SAML token, we can configure name-value pairs of data, where the name is a property key and the value is a string value we can use to set internal system configuration properties. Use these configuration properties, along with the options provided in the administrative console, to control how the SAML token is generated or consumed.

To configure these SAML custom properties, in the administrative console, go to either...
Services > [Service provider|Service client] > application | binding

...or...
Applications > Application Types > WebSphere enterprise applications > application > Web Services Properties > [Service provider policy sets and bindings or Service client policy sets and bindings] > binding

We must have previously attached a policy set and assigned a binding. The application must contain a service provider or a service client.
Go to:

Policies table > WS-Security > Main Message Security Policy Bindings heading > Authentication and protection > Authentication tokens heading > authentication token > Additional Bindings heading > Callback handler > Custom Properties heading > name and value pairs

Use the token, which is processed by the generic security token login module, for authentication only. We cannot use the token as a protection token.

SAML token generator custom properties

The following table lists the callback handler custom properties that can only be used to configure SAML token generator bindings.

Name Values Description
appliesTo No default value. Used for the requested SAML token when a WSS API is used.
audienceRestriction Valid values are true and false. The default behavior is true, which includes AudienceRestrictionCondition in the SAML token. Applies to self-issued SAML tokens. Specifies whether the AudienceRestrictionCondition element is included in the SAML token.
authenticationMethod No default value. Applies to self-issued SAML tokens. Specifies the value for the AuthenticationMethod attribute on the AuthenticationStatement element in the SAML token. When this custom property is specified, the Subject will be contained in an AuthenticationStatement instead of an AttributeStatement.
cacheCushion The default is 5 minutes. The amount of time, in minutes, before the expiration time of a SAML token expires and a new token must be issued. For example, if the cacheCushion is set to 5 minutes and the SAML token will expire in 2 minutes, it will not be re-used; a new SAML token will be issued. When the runtime is in the process of caching a SAML token, a token that is beyond the cache cushion will not be cached.
cacheToken Valid values are true and false. The default behavior is true, which allows SAML token caching for reuse. Specify whether a SAML token can be cached for reuse.
com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath The default is ./config/cells/cell/sts/SAMLIssuerConfig.properties The file path to the configuration data to use when generating a self-issued SAML token.
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheEntries The default is 250. Use this JVM custom property to specify the maximum number of cache entries that can be maintained.
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheTimeout The default is 60 minutes. Used only for SAML tokens for which the expiration time is unknown (tokens that are encrypted or an expiration is not included with the token in the response from the STS). For SAML tokens for which the expiration time is unknown, the SamlTokenCacheTimeout is used to substitute for the expiration time. For a new SAML token that will enter the cache under this criteria, its expiration time will be (current_time)+SamlTokenCacheTimeout. The conditions described for the cacheCushion property will still apply, so keep the cacheCushion value in mind when altering the value for the SamlTokenCacheTimeout.
confirmationMethod Valid values include bearer, holder-of-key, and sender-vouches. The default is bearer. The SAML token subject ConfirmationMethod.
com.ibm.wsspi.wssecurity.saml.get.SamlToken True or false. The default is false. Use to get the SAML token to RequestContext.
com.ibm.wsspi.wssecurity.saml.put.SamlToken True or false. The default is false. Set the SAML token to RequestContext.
failOverToTokenRequest True or false. Default is true, which means that the web services security runtime always issues a new SAML token if the input token is invalid. Specify whether the web services security runtime should use the attached policy set to issue a new SAML token if the input SAML token in the RequestContext is invalid.
recipientAlias No default value. The target service alias for a certificate.
signToken True or false. The default is false. Specify whether a SAML token should be signed with an application message.
sslConfigAlias If a value is not specified for this property, the default SSL alias defined in the system's SSL configuration is used.
This property is optional.
The alias to an SSL configuration that a WS-Trust client uses to request a SAML token.
stsURI No default value. The SecurityTokenService (STS) address.
keySize No default value. The KeySize when requesting a SecretKey from STS.
tokenRequest Valid values include issue, propagation,issueByWSCredential, and issueByWSPrincipal. The default is issue. The SAMLToken request method. For more information about the values that can be specified for this property, see the topic Propagate SAML tokens
tokenType No default value. Set the required token type to SAMLGenerateCallback
usekeyType This custom property is optional. The valid values are KeyValue, X509Certificate, and X509IssuerSerial. Usekey type, which tells the client to generate a specific type of key Information.
WSSConsumingContext No default value. Specify the WSSConsumingContext object that the WS-Trust client uses to request a SAML token.
WSSGenerationContext No default value. Specify the WSSGenerationContext object that the WS-Trust client uses to request a SAML token.
NameID No default value. Set the NameID in the Subject of a self-issued SAML token. When the generator is configured to self-issue a token, if the NameID property is not specified, an attempt is made to generate a token from a SAML token in the runAs subject. If no SAML token is present on the runAs subject, the token is built from scratch and the NameID in the Subject will be set to UNAUTHENTICATED. For more information on generating self-issued SAML tokens using settings in the WS-Security bindings, see SAML Issuer Config Properties.

SAML token consumer custom properties

The following table lists the callback handler custom properties that can only be used to configure SAML token consumer bindings.

Name Values Description
allowUnencKeyInHok True or false. Default is true, which means that unencrypted keys are allowed. The SAML token consumer can accept an unencrypted key in a SAML holder-of-key token.
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheEntries An integer. The default is 1000. The number of signature cache entries that can be maintained. for a SAML consumer token.
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheTimeout An integer. The default is 60 minutes. The number of minutes a SAML token is to be cached. A signature validation does not need to be repeated while the SAML token is cached.
keyAlias No default value. The alias of the decrypting private key as defined in the keystore.
keyName No default value. The name of the decrypting private key as defined in the keystore file. This name is for reference and is not evaluated by the runtime.
keyPassword No default value. The password of the decrypting private key as defined in the keystore file (the password should must be XOR encoded). See encoding passwords in files.
keyStorePassword No default value. The password of the keystore file. The password can be XOR encoded. See encoding passwords in files.
keyStorePath No default value. The file path of the keystore file containing the decrypting key.
keyStoreRef No default value. A reference to a managed keystore in security.xml containing the decrypting key.
Sample:
name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode
keyStoreType No default value. The keystore type of the keystore file.
signatureRequired Default is true. Specify whether a signature is required on a SAML assertion. If any trustedSubjectDN_n custom properties are defined when this property is set to false, we get a CWWSS7542E message when a SAML token is consumed
trustAnySigner The default is false. Specify whether a recipient can trust any certificate that signs a SAML assertion.
trustedAlias No default value. The trusted STS certificate's alias for a SAML consumer token.
trustedIssuer_ The name is specified as trustedIssuer_n where n is an integer. No default value. The name of a trusted issuer.
If n is the same number for a trustedIssuer_n entry and a trustedSubjectDN_n entry, the token must match both conditions to be trusted.

trustedSubjectDN_ The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value. The X509Certificate's SubjectDN name for the trusted issuer. If we set this property when signatureRequired=false, we get a CWWSS7542E message when a SAML token is consumed
If n is the same number for a trustedIssuer_n entry and a trustedSubjectDN_n entry, the token must match both conditions to be trusted.

trustStorePassword No default value. The truststore password for a SAML consumer token.
trustStorePath No default value. The truststore path for a SAML consumer token.
trustStoreRef No default value. The truststore reference for a SAML consumer token.
Sample:
name=myTrustStoreRef managementScope=(cell):myCell:(node):myNode
trustStoreType No default value. The keystore type for the truststore.
validateAudienceRestriction True or false. The default is false which means an AudienceRestriction assertion validation is not required. Specifies whether an AudienceRestriction assertion must be validated.
validateOneTimeUse True or false. Default is true, which means that OneTimeUse assertion validation is required. Specify whether a OneTimeUse assertion in SAML 2.0, or a DoNotCacheCondition in SAML 1.1 must be validated.
CRLPATH No default value. The file path to the list of revoked certificates for a SAML consumer token.
X509PATH No default value. The intermediate X509 certificate file path for a SAML consumer token.
CRLPATH_ The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value. The file path to the list of revoked X509 certificates for a SAML consumer token.
X509PATH_ The value specified must be in the format X509_path_n, where n is an integer. No default value. The file path for the intermediate X509 certificate for a SAML consumer token.

SAML token custom properties for both token generator and token consumer

The following table lists the callback handler custom properties used to configure both SAML token generator and SAML token consumer bindings.

Name Values Description
clockSkew The default is 3 minutes. The time, in minutes, an adjustment to the times in the self-issued SAML token that the SAMLGenerateLoginModule creates.
The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes.

When a value is specified for this custom property, the following time adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule creates:

The new NotBefore time setting equals the initial NotBefore time setting, minus the amount of time specified for the clockSkew custom property.
The new NotAfter time setting equals the initial NotAfter time setting, plus the amount of time specified for the clockSkew custom property.

clientLabel No default value. The client label, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
serviceLabel No default value. The service label, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
keylength No default value. The derived key length, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
nonceLength The default is 128. The derived nonce length, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
requireDKT The default is false. Specify an option for the derived keys whenever a WSS API is used with the requested SAML token.
useImpliedDKT The default is false. Specify an option used with Implied derived keys whenever a WSS API is used with the requested SAML token.

SAML token generator properties for self-issued tokens

The following table lists the callback handler custom properties that can only be used to configure SAML token generator bindings for self-issued SAML tokens.

Policy bindings property name Sample property value Property description
com.ibm.wsspi.wssecurity.saml.config.issuer.oldEnvelopedSignature true Use only if we are setting the com.ibm.wsspi.wssecurity.dsig.enableEnvelopedSignatureProperty JVM custom property to true. See the topic JVM custom properties for a description of when we might want to use this JVM custom property.
com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerFormat urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName Value for the Format attribute of the Issuer element in the SAML token.
To add the Format attribute to the Issuer element, specify this property.
com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerURI http://www.websphere.ibm.com/SAML/SelfIssuer The URI of the issuer.
com.ibm.wsspi.wssecurity.saml.config.issuer.TimeToLiveMilliseconds 3600000 Amount of time before expiration of the token. Set the NotOnOrAfter attributes in the token. NotOnOrAfter is set to (currentTime)+TimeToLive+(currentClockSkew).
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreRef name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode A reference to a managed keystore in security.xml containing the signing key.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePath app_server_root/etc/ws-security/samples/dsig-receiver.ks The location of the keystore file containing the signing key.

We must modify this value from the default value to match the path location for our system.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreType JKS The keystore type.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePassword password The password of the keystore file (the password must be XOR encoded). See encoding passwords in files.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyAlias soapprovider The alias of the signing private key as defined in the keystore.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyName CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP The name of the signing private key as defined in the keystore file. This name is for reference and is not evaluated by the runtime.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyPassword password The password of the private key as defined in the keystore file (the password must be XOR encoded).
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreRef name=myTrustStoreRef managementScope=(cell):myCell:(node):myNode A reference to a managed keystore in security.xml containing the encrypting certificate.
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePath app_server_root/etc/ws-security/samples/dsig-receiver.ks The location of the store file containing the encrypting certificate.

We must modify this value from the default value to match the path location for our system.
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreType JKS The store type of the store file containing the encrypting certificate.
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePassword password The password for the store file containing the encrypting certificate.
com.ibm.wsspi.wssecurity.saml.config.issuer.AttributeProvider com.mycompany.SAML.AttributeProviderImpl Implementation class of attribute provider.

The class must implement javax.security.auth.callback.CallbackHandler. The class should receive the com.ibm.websphere.wssecurity.callbackhandler.Saml11AttributeCallback or com.ibm.websphere.wssecurity.callbackhandler.Saml20AttributeCallback callback object, then update the SAMLAttribute list received from the getSAMLAttributes method invoked from that object.
For more information, please refer to Adding attributes to self-issued SAML tokens using the API.

com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptingAlias soaprecipient The entry in the store file provided on the TrustStore property containing the public certificate that will be used to encrypt the SAML token. When generating a self-issued token with APIs, an alias set on the RequesterConfig using the setKeyAliasForAppliesTo method will take precedence over the value supplied for this property.
com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptSAML true
Set to true to generate an encrypted SAML token. The default value for this property is false.

When generating a self-issued token with APIs, we can also indicate to encrypt the SAML token using the setEncryptSAML(true) method on the RequesterConfig object. The SAML token will be encrypted if either setEncryptSAML=true on the RequesterConfig object or the EncryptSAML custom property is set to true.

com.ibm.wsspi.wssecurity.saml.config.issuer.NameIDProvider com.mycompany.SAML.NameIDProviderImpl Implementation class of name ID provider.

The class must implement javax.security.auth.callback.CallbackHandler. The class should receive the com.ibm.websphere.wssecurity.callbackhandler.NameIDCallback callback object, then call the setSAMLNameID method on that object to update the NameID.
For more information, please refer to Customizing the NameID for self-issued SAML tokens using the API.

com.ibm.wsspi.wssecurity.saml.config.issuer.UseSha2ForSignature true Set to true to use the SHA-2 signature algorithm, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, when signing the SAML token.

Trust client custom properties

The following table lists the custom properties used to configure trust client. When used in conjunction with a SAML token generator, these custom properties are added to the SAML token generator callback handler.
Name Values Description
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheEntries The default is 1000. The maximum number of STS service instance cache entries that can be maintained.
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheTimeout The default is 60 minutes. The length of time, in minutes, an STS service instance can be kept in a client side cache.
keyType The following keyTypes can be specified for WS-Trust 1.2:

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

The following keyTypes can be specified for WS-Trust 1.3:

http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
ttp://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer

The keyType to use when making a WS-Trust request to STS.
wstrustActAsRequired Valid values are true and false.The default is false. Set to true when a SAML token is to be inserted into an STS request in the ActAs element. The SAML token must exist on the current runAs Subject or on the JAAS login shared state object. A token in the JAAS login shared state takes precedence over one in the runAs subject. If both onBehalfOfRequired and actAsRequired are set to true, only the OnBehalfOf element will be inserted into the STS request. See Generating and consuming SAML tokens using stacked JAAS login modules.
wstrustActAsTokenType Valid values are http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 and http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0. The default is the type of the token being generated with the SAML generator callback handler. Set to the token type of the SAML token to insert into the message in the ActAs element in the STS request.
wstrustActAsReIssue Valid values are true and false.The default is false. Set to true to insert a SAML token into the ActAsReIssue element that is in the STS request, or a SAML token from the runAs subject that is re-issued with signature and encryption settings in the SAML generator callback handler. A SAML token obtained from the JAAS login shared state object cannot be re-issued.
wstrustClientBinding No default value. A binding name for the WS-trust client.
wstrustClientBindingScope No default value. The binding scope for the policy set that is attached to the WS-Trust client.
wstrustClientCollectionRequest True or false. The default is false which means that a RequestSecurityToken is used instead of a RequestSecurityTokenCollection. Specify whether a RequestSecurityTokenCollection is required in a WS-Trust request.
wstrustClientOnBehalfOfCallbackHandle

No default value. Example value: com.acme.myOnBehalfOfCallbackHandler
Specify a custom callback handler to obtain the XML for the OnBehalfOf element for the trust request. This option is used when the OnBehalfOf setting is not static for the configuration and must change on a per-request basis. The custom callback handler will use a com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback and must do the following to pass the XML string back to the runtime:
Map wssContext = ((PropertyCallback)callback).getProperties();
wssContext.put("wstrustClientOnBehalfOf", xmlString);
The wssContext that is obtained from the PropertyCallback can be used with methods in the com.ibm.websphere.wssecurity.wssapi.WSSUtilFactory class if the custom callback handler needs access to the MessageContext, HTTP headers, and so on.

If the OnBehalfOf setting is static for the configuration, instead of using wstrustClientOnBehalfOfCallbackHandler, set the wstrustClientOnBehalfOf property to the desired XML in the callback handler custom properties.
wstrustClientPolicy No default value. The policy set name for a WS-Trust client.
wstrustClientSoapVersion Valid values are 1.1 and 1.2. If no value is specified, the SOAP version defaults to SOAP version that the application client is using. The SOAP version in a WS-Trust request.
wstrustClientWSTNamespace The default is trust13. Valid values are trust12 and trust13. The WS-Trust namespace for a WS-Trust request.
wstrustOnBehalfOfRequired Valid values are true and false. The default is false. Set to true when a SAML token is to be inserted into an STS request in the OnBehalfOf element. The SAML token must exist on the current runAs Subject or on the JAAS login shared state object. A token in the JAAS login shared state takes precedence over one in the runAs subject. See Generate and consume SAML tokens using stacked JAAS login modules
wstrustOnBehalfOfTokenType Valid values are http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 and http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0. The default is the type of the token being generated with the SAML generator callback handler. Set to the token type of the SAML token to insert into the message in the OnBehalfOf element in the STS request.
wstrustOnBehalfOfReIssue Valid values are true and false.The default is false. Set to true to insert a SAML token into the OnBehalfOf element in the STS request a SAML token from the runAs subject that is re-issued with signature and encryption settings in the SAML generator callback handler. A SAML token obtained from the JAAS login shared state object cannot be re-issued.
Configure custom properties to secure web services
Generate and consume SAML tokens using stacked JAAS login modules
Inbound and outbound custom properties
Web services security custom properties
SAML Issuer Config Properties
Propagate SAML tokens

Name	Values	Description
appliesTo	No default value.	Used for the requested SAML token when a WSS API is used.
audienceRestriction	Valid values are true and false. The default behavior is true, which includes AudienceRestrictionCondition in the SAML token.	Applies to self-issued SAML tokens. Specifies whether the AudienceRestrictionCondition element is included in the SAML token.
authenticationMethod	No default value.	Applies to self-issued SAML tokens. Specifies the value for the AuthenticationMethod attribute on the AuthenticationStatement element in the SAML token. When this custom property is specified, the Subject will be contained in an AuthenticationStatement instead of an AttributeStatement.
cacheCushion	The default is 5 minutes.	The amount of time, in minutes, before the expiration time of a SAML token expires and a new token must be issued. For example, if the cacheCushion is set to 5 minutes and the SAML token will expire in 2 minutes, it will not be re-used; a new SAML token will be issued. When the runtime is in the process of caching a SAML token, a token that is beyond the cache cushion will not be cached.
cacheToken	Valid values are true and false. The default behavior is true, which allows SAML token caching for reuse.	Specify whether a SAML token can be cached for reuse.
com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath	The default is ./config/cells/cell/sts/SAMLIssuerConfig.properties	The file path to the configuration data to use when generating a self-issued SAML token.
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheEntries	The default is 250.	Use this JVM custom property to specify the maximum number of cache entries that can be maintained.
com.ibm.wsspi.wssecurity.saml.client.SamlTokenCacheTimeout	The default is 60 minutes.	Used only for SAML tokens for which the expiration time is unknown (tokens that are encrypted or an expiration is not included with the token in the response from the STS). For SAML tokens for which the expiration time is unknown, the SamlTokenCacheTimeout is used to substitute for the expiration time. For a new SAML token that will enter the cache under this criteria, its expiration time will be (current_time)+SamlTokenCacheTimeout. The conditions described for the cacheCushion property will still apply, so keep the cacheCushion value in mind when altering the value for the SamlTokenCacheTimeout.
confirmationMethod	Valid values include bearer, holder-of-key, and sender-vouches. The default is bearer.	The SAML token subject ConfirmationMethod.
com.ibm.wsspi.wssecurity.saml.get.SamlToken	True or false. The default is false.	Use to get the SAML token to RequestContext.
com.ibm.wsspi.wssecurity.saml.put.SamlToken	True or false. The default is false.	Set the SAML token to RequestContext.
failOverToTokenRequest	True or false. Default is true, which means that the web services security runtime always issues a new SAML token if the input token is invalid.	Specify whether the web services security runtime should use the attached policy set to issue a new SAML token if the input SAML token in the RequestContext is invalid.
recipientAlias	No default value.	The target service alias for a certificate.
signToken	True or false. The default is false.	Specify whether a SAML token should be signed with an application message.
sslConfigAlias	If a value is not specified for this property, the default SSL alias defined in the system's SSL configuration is used. This property is optional.	The alias to an SSL configuration that a WS-Trust client uses to request a SAML token.
stsURI	No default value.	The SecurityTokenService (STS) address.
keySize	No default value.	The KeySize when requesting a SecretKey from STS.
tokenRequest	Valid values include issue, propagation,issueByWSCredential, and issueByWSPrincipal. The default is issue.	The SAMLToken request method. For more information about the values that can be specified for this property, see the topic Propagate SAML tokens
tokenType	No default value.	Set the required token type to SAMLGenerateCallback
usekeyType	This custom property is optional. The valid values are KeyValue, X509Certificate, and X509IssuerSerial.	Usekey type, which tells the client to generate a specific type of key Information.
WSSConsumingContext	No default value.	Specify the WSSConsumingContext object that the WS-Trust client uses to request a SAML token.
WSSGenerationContext	No default value.	Specify the WSSGenerationContext object that the WS-Trust client uses to request a SAML token.
NameID	No default value.	Set the NameID in the Subject of a self-issued SAML token. When the generator is configured to self-issue a token, if the NameID property is not specified, an attempt is made to generate a token from a SAML token in the runAs subject. If no SAML token is present on the runAs subject, the token is built from scratch and the NameID in the Subject will be set to UNAUTHENTICATED. For more information on generating self-issued SAML tokens using settings in the WS-Security bindings, see SAML Issuer Config Properties.

Name	Values	Description
allowUnencKeyInHok	True or false. Default is true, which means that unencrypted keys are allowed.	The SAML token consumer can accept an unencrypted key in a SAML holder-of-key token.
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheEntries	An integer. The default is 1000.	The number of signature cache entries that can be maintained. for a SAML consumer token.
com.ibm.wsspi.wssecurity.saml.signature.SignatureCacheTimeout	An integer. The default is 60 minutes.	The number of minutes a SAML token is to be cached. A signature validation does not need to be repeated while the SAML token is cached.
keyAlias	No default value.	The alias of the decrypting private key as defined in the keystore.
keyName	No default value.	The name of the decrypting private key as defined in the keystore file. This name is for reference and is not evaluated by the runtime.
keyPassword	No default value.	The password of the decrypting private key as defined in the keystore file (the password should must be XOR encoded). See encoding passwords in files.
keyStorePassword	No default value.	The password of the keystore file. The password can be XOR encoded. See encoding passwords in files.
keyStorePath	No default value.	The file path of the keystore file containing the decrypting key.
keyStoreRef	No default value.	A reference to a managed keystore in security.xml containing the decrypting key. Sample: name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode
keyStoreType	No default value.	The keystore type of the keystore file.
signatureRequired	Default is true.	Specify whether a signature is required on a SAML assertion. If any trustedSubjectDN_n custom properties are defined when this property is set to false, we get a CWWSS7542E message when a SAML token is consumed
trustAnySigner	The default is false.	Specify whether a recipient can trust any certificate that signs a SAML assertion.
trustedAlias	No default value.	The trusted STS certificate's alias for a SAML consumer token.
trustedIssuer_	The name is specified as trustedIssuer_n where n is an integer. No default value.	The name of a trusted issuer. If n is the same number for a trustedIssuer_n entry and a trustedSubjectDN_n entry, the token must match both conditions to be trusted.
trustedSubjectDN_	The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value.	The X509Certificate's SubjectDN name for the trusted issuer. If we set this property when signatureRequired=false, we get a CWWSS7542E message when a SAML token is consumed If n is the same number for a trustedIssuer_n entry and a trustedSubjectDN_n entry, the token must match both conditions to be trusted.
trustStorePassword	No default value.	The truststore password for a SAML consumer token.
trustStorePath	No default value.	The truststore path for a SAML consumer token.
trustStoreRef	No default value.	The truststore reference for a SAML consumer token. Sample: name=myTrustStoreRef managementScope=(cell):myCell:(node):myNode
trustStoreType	No default value.	The keystore type for the truststore.
validateAudienceRestriction	True or false. The default is false which means an AudienceRestriction assertion validation is not required.	Specifies whether an AudienceRestriction assertion must be validated.
validateOneTimeUse	True or false. Default is true, which means that OneTimeUse assertion validation is required.	Specify whether a OneTimeUse assertion in SAML 2.0, or a DoNotCacheCondition in SAML 1.1 must be validated.
CRLPATH	No default value.	The file path to the list of revoked certificates for a SAML consumer token.
X509PATH	No default value.	The intermediate X509 certificate file path for a SAML consumer token.
CRLPATH_	The value specified must be in the format trustedSubjectDN_n, where n is an integer. This custom property does not have a default value.	The file path to the list of revoked X509 certificates for a SAML consumer token.
X509PATH_	The value specified must be in the format X509_path_n, where n is an integer. No default value.	The file path for the intermediate X509 certificate for a SAML consumer token.

Name	Values	Description
clockSkew	The default is 3 minutes.	The time, in minutes, an adjustment to the times in the self-issued SAML token that the SAMLGenerateLoginModule creates. The clockSkew custom property is set on the Callback handler of the SAML token generator that uses the SAMLGenerateLoginModule class. The value specified for this custom property must be numeric and is specified in minutes. When a value is specified for this custom property, the following time adjustments are made in the self-issued SAML token that the SAMLGenerateLoginModule creates: The new NotBefore time setting equals the initial NotBefore time setting, minus the amount of time specified for the clockSkew custom property. The new NotAfter time setting equals the initial NotAfter time setting, plus the amount of time specified for the clockSkew custom property.
clientLabel	No default value.	The client label, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
serviceLabel	No default value.	The service label, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
keylength	No default value.	The derived key length, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
nonceLength	The default is 128.	The derived nonce length, in bytes, to use for the derived keys whenever a WSS API is used with the requested SAML token.
requireDKT	The default is false.	Specify an option for the derived keys whenever a WSS API is used with the requested SAML token.
useImpliedDKT	The default is false.	Specify an option used with Implied derived keys whenever a WSS API is used with the requested SAML token.

Policy bindings property name	Sample property value	Property description
com.ibm.wsspi.wssecurity.saml.config.issuer.oldEnvelopedSignature	true	Use only if we are setting the com.ibm.wsspi.wssecurity.dsig.enableEnvelopedSignatureProperty JVM custom property to true. See the topic JVM custom properties for a description of when we might want to use this JVM custom property.
com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerFormat	urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName	Value for the Format attribute of the Issuer element in the SAML token. To add the Format attribute to the Issuer element, specify this property.
com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerURI	http://www.websphere.ibm.com/SAML/SelfIssuer	The URI of the issuer.
com.ibm.wsspi.wssecurity.saml.config.issuer.TimeToLiveMilliseconds	3600000	Amount of time before expiration of the token. Set the NotOnOrAfter attributes in the token. NotOnOrAfter is set to (currentTime)+TimeToLive+(currentClockSkew).
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreRef	name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode	A reference to a managed keystore in security.xml containing the signing key.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePath	app_server_root/etc/ws-security/samples/dsig-receiver.ks	The location of the keystore file containing the signing key. We must modify this value from the default value to match the path location for our system.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStoreType	JKS	The keystore type.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyStorePassword	password	The password of the keystore file (the password must be XOR encoded). See encoding passwords in files.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyAlias	soapprovider	The alias of the signing private key as defined in the keystore.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyName	CN=SOAPProvider, OU=TRL, O=IBM, ST=Kanagawa, C=JP	The name of the signing private key as defined in the keystore file. This name is for reference and is not evaluated by the runtime.
com.ibm.wsspi.wssecurity.saml.config.issuer.KeyPassword	password	The password of the private key as defined in the keystore file (the password must be XOR encoded).
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreRef	name=myTrustStoreRef managementScope=(cell):myCell:(node):myNode	A reference to a managed keystore in security.xml containing the encrypting certificate.
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePath	app_server_root/etc/ws-security/samples/dsig-receiver.ks	The location of the store file containing the encrypting certificate. We must modify this value from the default value to match the path location for our system.
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStoreType	JKS	The store type of the store file containing the encrypting certificate.
com.ibm.wsspi.wssecurity.saml.config.issuer.TrustStorePassword	password	The password for the store file containing the encrypting certificate.
com.ibm.wsspi.wssecurity.saml.config.issuer.AttributeProvider	com.mycompany.SAML.AttributeProviderImpl	Implementation class of attribute provider. The class must implement javax.security.auth.callback.CallbackHandler. The class should receive the com.ibm.websphere.wssecurity.callbackhandler.Saml11AttributeCallback or com.ibm.websphere.wssecurity.callbackhandler.Saml20AttributeCallback callback object, then update the SAMLAttribute list received from the getSAMLAttributes method invoked from that object. For more information, please refer to Adding attributes to self-issued SAML tokens using the API.
com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptingAlias	soaprecipient	The entry in the store file provided on the TrustStore property containing the public certificate that will be used to encrypt the SAML token. When generating a self-issued token with APIs, an alias set on the RequesterConfig using the setKeyAliasForAppliesTo method will take precedence over the value supplied for this property.
com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptSAML	true	Set to true to generate an encrypted SAML token. The default value for this property is false. When generating a self-issued token with APIs, we can also indicate to encrypt the SAML token using the setEncryptSAML(true) method on the RequesterConfig object. The SAML token will be encrypted if either setEncryptSAML=true on the RequesterConfig object or the EncryptSAML custom property is set to true.
com.ibm.wsspi.wssecurity.saml.config.issuer.NameIDProvider	com.mycompany.SAML.NameIDProviderImpl	Implementation class of name ID provider. The class must implement javax.security.auth.callback.CallbackHandler. The class should receive the com.ibm.websphere.wssecurity.callbackhandler.NameIDCallback callback object, then call the setSAMLNameID method on that object to update the NameID. For more information, please refer to Customizing the NameID for self-issued SAML tokens using the API.
com.ibm.wsspi.wssecurity.saml.config.issuer.UseSha2ForSignature	true	Set to true to use the SHA-2 signature algorithm, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, when signing the SAML token.

Name	Values	Description
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheEntries	The default is 1000.	The maximum number of STS service instance cache entries that can be maintained.
com.ibm.wsspi.wssecurity.trust.client.TrustServiceCacheTimeout	The default is 60 minutes.	The length of time, in minutes, an STS service instance can be kept in a client side cache.
keyType	The following keyTypes can be specified for WS-Trust 1.2: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey The following keyTypes can be specified for WS-Trust 1.3: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey ttp://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer	The keyType to use when making a WS-Trust request to STS.
wstrustActAsRequired	Valid values are true and false.The default is false.	Set to true when a SAML token is to be inserted into an STS request in the ActAs element. The SAML token must exist on the current runAs Subject or on the JAAS login shared state object. A token in the JAAS login shared state takes precedence over one in the runAs subject. If both onBehalfOfRequired and actAsRequired are set to true, only the OnBehalfOf element will be inserted into the STS request. See Generating and consuming SAML tokens using stacked JAAS login modules.
wstrustActAsTokenType	Valid values are http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 and http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0. The default is the type of the token being generated with the SAML generator callback handler.	Set to the token type of the SAML token to insert into the message in the ActAs element in the STS request.
wstrustActAsReIssue	Valid values are true and false.The default is false.	Set to true to insert a SAML token into the ActAsReIssue element that is in the STS request, or a SAML token from the runAs subject that is re-issued with signature and encryption settings in the SAML generator callback handler. A SAML token obtained from the JAAS login shared state object cannot be re-issued.
wstrustClientBinding	No default value.	A binding name for the WS-trust client.
wstrustClientBindingScope	No default value.	The binding scope for the policy set that is attached to the WS-Trust client.
wstrustClientCollectionRequest	True or false. The default is false which means that a RequestSecurityToken is used instead of a RequestSecurityTokenCollection.	Specify whether a RequestSecurityTokenCollection is required in a WS-Trust request.
wstrustClientOnBehalfOfCallbackHandle	No default value. Example value: com.acme.myOnBehalfOfCallbackHandler	Specify a custom callback handler to obtain the XML for the OnBehalfOf element for the trust request. This option is used when the OnBehalfOf setting is not static for the configuration and must change on a per-request basis. The custom callback handler will use a com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback and must do the following to pass the XML string back to the runtime: Map wssContext = ((PropertyCallback)callback).getProperties(); wssContext.put("wstrustClientOnBehalfOf", xmlString); The wssContext that is obtained from the PropertyCallback can be used with methods in the com.ibm.websphere.wssecurity.wssapi.WSSUtilFactory class if the custom callback handler needs access to the MessageContext, HTTP headers, and so on. If the OnBehalfOf setting is static for the configuration, instead of using wstrustClientOnBehalfOfCallbackHandler, set the wstrustClientOnBehalfOf property to the desired XML in the callback handler custom properties.
wstrustClientPolicy	No default value.	The policy set name for a WS-Trust client.
wstrustClientSoapVersion	Valid values are 1.1 and 1.2. If no value is specified, the SOAP version defaults to SOAP version that the application client is using.	The SOAP version in a WS-Trust request.
wstrustClientWSTNamespace	The default is trust13. Valid values are trust12 and trust13.	The WS-Trust namespace for a WS-Trust request.
wstrustOnBehalfOfRequired	Valid values are true and false. The default is false.	Set to true when a SAML token is to be inserted into an STS request in the OnBehalfOf element. The SAML token must exist on the current runAs Subject or on the JAAS login shared state object. A token in the JAAS login shared state takes precedence over one in the runAs subject. See Generate and consume SAML tokens using stacked JAAS login modules
wstrustOnBehalfOfTokenType	Valid values are http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 and http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0. The default is the type of the token being generated with the SAML generator callback handler.	Set to the token type of the SAML token to insert into the message in the OnBehalfOf element in the STS request.
wstrustOnBehalfOfReIssue	Valid values are true and false.The default is false.	Set to true to insert a SAML token into the OnBehalfOf element in the STS request a SAML token from the runAs subject that is re-issued with signature and encryption settings in the SAML generator callback handler. A SAML token obtained from the JAAS login shared state object cannot be re-issued.