The following topics describe how to manage Partner Keys for WS-Trust communications:
During the processing of the WS-Trust messages, Security Token Service might need to use a partner's certificate.During the processing of the WS-Trust messages, Security Token Service might need to use a partner's certificate.
Table 44-3 lists the certificate that is needed contingent upon the situation.
Table 44-3 Partner Keys for WS-Trust Communications
| If Security Token Service Must ... | The OAM Server ... |
|---|---|
|
Issue a SAML Assertion encrypted for the Relying Party |
Uses the Relying Party's encryption certificate to encrypt the outgoing token |
|
Issue a SAML Assertion with the Subject Confirmation being of type Holder of Key / Asymmetric |
Uses the Requester Partner's signing certificate as the proof key to be included in the Assertion Note: if the WS-Trust RST contains a UseKey element referencing an X.509 Binary Security Token in the SOAP header that was used in a signature, then Security Token Service will be able to use this certificate as the proof key. |
|
Issue a SAML Assertion with the Subject Confirmation being of type Holder of Key / Symmetric |
Uses the Relying Party's encryption certificate to encrypt the secret proof key to be included in the Assertion. |
|
Issue a SAML Assertion with the Subject Confirmation being of type Holder of Key / Symmetric |
Can encrypt in the RSTR for the Requester, the secret or the server entropy. In this case, the server:
Note: if the WS-Trust RST contains a ProofEncryption element referencing an X.509 Binary Security Token in the SOAP header that was used in a signature, then Security Token Service will be able to use this certificate to encrypt the secret or entropy returned to the client. |
|
Validate an incoming SAML Assertion |
Uses the Issuing Authority's signing certificate to verify the XML digital signature present on the Assertion. |
At runtime, Security Token Service is capable of downloading the Relying Party WSS Policy of the service listed in the AppliesTo field of the RST.
If Security Token Service is configured to download the Relying Party's WS-Sec policy, then ensure that the Proxy settings are correctly entered, if needed, so that Security Token Service can connect to the Relying Party. If the Relying Party Partner Profile is configured to do so, it instructs Security Token Service to download the WS-Sec Policy from the service. Security Token Service then extracts the certificate located in the policy and uses it for cryptographic operations, if necessary. Also:
If Security Token Service issues a SAML Assertion encrypted for the Relying Party, the server uses the certificate downloaded from the Relying Party's WS-Sec Policy to encrypt the outgoing token.
If Security Token Service issues a SAML Assertion with the Subject Confirmation of type Holder of Key / Symmetric, Security Token Service uses the certificate downloaded from the Relying Party's WS-Sec Policy to encrypt the secret proof key to be included in the Assertion.
You can configure the Relying Party Partner Profile so it downloads the certificate at run time.
See Setting the Partner's Signing or Encryption Certificate.
You can set the signing or encryption certificate of a partner using the Federation console.
Alternatively: Use the WLST Partner commands to set the signing or encryption certificate of a specific partner.
See Table 44-3for the prerequisites of Setting the Partner's Signing or Encryption Certificate.
To set the certificate of a partner: