Security Token Service

The attributes contained in this service define the dynamic configuration for the OpenSSO Enterprise Security Token Service (STS). These attributes define the following configuration:

• Issuing and creating security tokens

• Web services security for the STS itself for securing STS service endpoints. The Signing and Encryption attributes configures the server provider validation of incoming WS-Trust requests and secures outgoing WS-Trust responses. The Security Mechanism attribute defines the security credential of the security tokens.

• SAML configuration to request SAML attribute mapping in the security token (through a SAML assertion) when the configured STS is specified as a web service provider and receives a SAML token (assertion) generated by a remote STS.

• Security token validation received from a web service provider when the token was generated by a remote STS.

  You can create dynamic configuration profiles for different OpenSSO Enterprise web services security providers in the Centralized Agent Configuration under the Realms tab.

Issuer

The name of the Security Token service that issues the security tokens.

End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts

This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.

Encryption Issued Key

When enabled, this attribute encrypts the key issued by the Security Token service.

Encryption Issued Token

When enabled, this attribute encrypts the security token issued by the Security Token service.

Lifetime for Security Token

Defines the amount of time for which the issued token is valid.

Token Implementation Class

This attribute specifies the implementation class for the security token provider/issuer.

Certificate Alias Name

Defines the alias name for the certificate used to sign the security token issues by the Security Token service.

STS End User Token Plug-in Class

Defines the implementation class for the end user token conversion.

Security Mechanism

Defines the type of security credential that is used to secure the security token itself, or the security credential accepted by the Security Token service from the incoming WS-Trust request sent the by the client. You can choose from the following security types:

• Anonymous — The anonymous security mechanism contains no security credentials.

• KerberosToken — Uses Kerberos tokens.

• LibertyBearerToken – Uses the Liberty-defined bearer token.

• LibertySAMLToken – Uses the Liberty-defined SAML token.

• LibertyX509Token – Uses the Liberty-defined X509 certificate.

• SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.

• SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.

• SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.

• SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.

• UserNameToken — Uses a user name token to secure the Security Token service requests.

• UserNameToken-Plain — Uses a user name token with a clear text password for securing Security Token service requests.

• X509Token — Uses the X509 certificate to secure the Security token.

Authentication Chain

Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming issuer request's security token to generate OpenSSO Enterprise's authenticated security token.

User Credential

The attribute represents the username/password shared secrets that are used by the Security Token service to validate a UserName token sent by the client as part of the incoming WS-Trust request.

Is Request Signature Verified

Specifies that the Security Token service must verify the signature of the incoming WS-Trust request.

Is Request Header Decrypted

Specifies that all request headers received by the Security Token Service must be decrypted.

Is Request Decrypted

Specifies that all requests received by the Security Token Service must be decrypted.

Is Response Signed

Specifies that all responses received by the Security Token Service must be signed.

Is Response Encrypted

Specifies that all responses sent by the Security Token service must be encrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WS-Trust response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used by the Security Token service to encrypt the WS-Trust response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the WS-Trust response. Select a greater value for greater encryption strength.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the WS-Trust response or to decrypt the incoming WS-Trust request.

Private Key Type

This attribute defines the certificate private key type used for signing WS-Trust responses or decrypting WS-Trust requests. The possible types are PublicKey, SymmetricKey, or NoProofKey.

Public Key Alias of Web Service (WS-Trust) Client

Defines the public certificate key alias used to verify the signature of the incoming WS-Trust request or to encrypt the WS-Trust response.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Kerberos principal as the owner of the generated Security token.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Key Tab File

This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:

hostname.HTTP.keytab

hostname is the hostname of the OpenSSO Enterprise instance.

Verify Kerberos Signature

If enabled, this attribute specifies that the Kerberos token is signed.

SAML Attribute Mapping

---

Note –

All of the following SAML-related attributes are to be used in the configuration where the current instance of the Security Token service haves as the web service provider and receives a SAML Token generated from another Security Token service instance.

---

This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.

SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.

NameID Mapper

The SAML NameID Mapper for an assertion that is generated for the Security Token service.

Should Include Memberships

When enabled, the generated assertion contains user memberships as SAML attributes.

Attribute Namespace

Defines the SAML Attribute Namespace for an assertion that is generated for the Security Token service.

Trusted Issuers

Defines a list of trusted issuers that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these issuers.

Trusted IP Addresses

Defines a list of IP addresses that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these hosts.