The attributes contained in this service define the dynamic configuration for the OpenSSO Enterprise Security Token Service (STS). These attributes define the following configuration:
Issuing and creating security tokens
Web services security for the STS itself for securing STS service endpoints. The Signing and Encryption attributes configures the server provider validation of incoming WS-Trust requests and secures outgoing WS-Trust responses. The Security Mechanism attribute defines the security credential of the security tokens.
SAML configuration to request SAML attribute mapping in the security token (through a SAML assertion) when the configured STS is specified as a web service provider and receives a SAML token (assertion) generated by a remote STS.
Security token validation received from a web service provider when the token was generated by a remote STS.
You can create dynamic configuration profiles for different OpenSSO Enterprise web services security providers in the Centralized Agent Configuration under the Realms tab.
The name of the Security Token service that issues the security tokens.
This field takes a value equal to:
%protocol://%host:%port%uri/sts
This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.
When enabled, this attribute encrypts the key issued by the Security Token service.
When enabled, this attribute encrypts the security token issued by the Security Token service.
Defines the amount of time for which the issued token is valid.
This attribute specifies the implementation class for the security token provider/issuer.
Defines the alias name for the certificate used to sign the security token issues by the Security Token service.
Defines the implementation class for the end user token conversion.
Defines the type of security credential that is used to secure the security token itself, or the security credential accepted by the Security Token service from the incoming WS-Trust request sent the by the client. You can choose from the following security types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos tokens.
LibertyBearerToken – Uses the Liberty-defined bearer token.
LibertySAMLToken – Uses the Liberty-defined SAML token.
LibertyX509Token – Uses the Liberty-defined X509 certificate.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
UserNameToken — Uses a user name token to secure the Security Token service requests.
UserNameToken-Plain — Uses a user name token with a clear text password for securing Security Token service requests.
X509Token — Uses the X509 certificate to secure the Security token.
Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming issuer request's security token to generate OpenSSO Enterprise's authenticated security token.
The attribute represents the username/password shared secrets that are used by the Security Token service to validate a UserName token sent by the client as part of the incoming WS-Trust request.
Specifies that the Security Token service must verify the signature of the incoming WS-Trust request.
Specifies that all request headers received by the Security Token Service must be decrypted.
Specifies that all requests received by the Security Token Service must be decrypted.
Specifies that all responses received by the Security Token Service must be signed.
Specifies that all responses sent by the Security Token service must be encrypted.
Defines the reference types used when the Security Token service signs the WS-Trust response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used by the Security Token service to encrypt the WS-Trust response.
Sets the encryption strength used by he Security Token service to encrypt the WS-Trust response. Select a greater value for greater encryption strength.
This attribute defines the private certificate key alias that is used to sign the WS-Trust response or to decrypt the incoming WS-Trust request.
This attribute defines the certificate private key type used for signing WS-Trust responses or decrypting WS-Trust requests. The possible types are PublicKey, SymmetricKey, or NoProofKey.
Defines the public certificate key alias used to verify the signature of the incoming WS-Trust request or to encrypt the WS-Trust response.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the Kerberos principal as the owner of the generated Security token.
Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:
hostname.HTTP.keytab
hostname is the hostname of the OpenSSO Enterprise instance.
If enabled, this attribute specifies that the Kerberos token is signed.
All of the following SAML-related attributes are to be used in the configuration where the current instance of the Security Token service haves as the web service provider and receives a SAML Token generated from another Security Token service instance.
This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.
SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.
The SAML NameID Mapper for an assertion that is generated for the Security Token service.
When enabled, the generated assertion contains user memberships as SAML attributes.
Defines the SAML Attribute Namespace for an assertion that is generated for the Security Token service.
Defines a list of trusted issuers that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these issuers.
Defines a list of IP addresses that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these hosts.