Security Token Service Agent Attributes (Sun OpenSSO Enterprise 8.0 Administration Reference)

Sun OpenSSO Enterprise 8.0 Administration Reference

Security Token Service Agent Attributes

A Security Token Service is a Web service that provides issuance and management of security tokens. That is, it makes security statements or claims often, although not required to be, in encrypted sets. These statements are based on the receipt of evidence that it can directly verify security tokens from authorities that it trusts. To assert trust, a service might prove its right to assert a set of claims by providing a security token or set of security tokens issued by an STS, or it could issue a security token with its own trust statement (note that for some security token formats this can just be a re-issuance or co-signature). This forms the basis of trust brokering.

General

The following General attributes define basic Security Token service properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the Security Token service agent.

Password Confirm

Confirm the password.

Status

Defines whether the agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.

WS-Trust Version

Specifies the version of WS-Trust to use, either 1.0 or 1.3.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the Security Token service agent.

Security

The following attributes define Security Token service security attributes:

Security Mechanism

Defines the type of security credential that is used to secure the STS request. You can choose one of the following security credential types:

Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyDiscoverySecurity — Uses Liberty-based security tokens.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
STSSecurity — Uses the security token generated from the Security Token service for a given web service provider.
UserNameToken — Uses User Name Token with digest password.
UserNameToken-Plain — Uses a user name token with a clear text password for securing web service requests.
X509Token — Uses the X509 certificate.

STS Configuration

This attribute is enabled when the Security Token service agent uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the requests to the STS service.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the Security Token service agent for further processing.

Credential for User Token

The attribute represents the username/password shared secrets that are used by the Security Token service agent to generate a Username security token.

Signing and Encryption

The following attributes define signing and encryption configuration for the Security Token service:

Is Request signed

When enabled, the Security Token service agent signs the request using a given token type.

Is Request Header Encrypted

When enabled, the Security Token service agent security header will be encrypted.

Is Request Encrypted

When enabled, the Security Token service request will be encrypted.

Is Response Signature Verified

When enabled, the Security Token service response signature is verified.

Is Response Decrypted

When enabled, the Security Token service response will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the response.

Encryption Strength

Sets the encryption strength to encrypt the response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Provider

This attribute defines the public certificate key alias that is sued to encrypt the web service request or verify the signature of the web service response.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

Location of Key Store
Password of Key Store
Password of Key

End Points

The following attributes define web service endpoints:

Security Token Service End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts

This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.

Security Token Service MEX End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts/mex

This syntax allows for dynamic substitution of the Security Token Service MEX Endpoint URL based on the specific session parameters.

Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Security Token Service principal registered with the KDC.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Ticket Cache Directory

Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.