Using the HTTP Binding Component

SAML Authorization over SSL

The SAML Authorization over SSL mechanism attaches an authorization token to the message. SSL is used for confidentiality protection. In this mechanism, the SAML token is expected to carry some authorization information about an end user. The sender of the token is actually vouching for the credentials in the SAML token.

Server-Side Requirements

The following server-side options need to be configured for this security mechanisms:

Client-Side Requirements

The following client-side options need to be configured for this security mechanisms:

Table 25 SAML Authorization over SSL Configuration Properties




SAML Version 

Specifies which version of the SAML token should be used. The SAML Version is something the CallbackHandler has to verify, not the security runtime.  

SAML tokens are defined in WSS: SAML Token Profile documents, available from

1.1 (Profile 1.0) 

WSS Version 

Specifies which version of the Web Services Security specification is followed. Options are 1.0 and 1.1. 

Enabling WSS 1.1 enables the Server to reuse an encrypted key already generated by the client. This saves the time otherwise required to create a Symmetric Key during the course of response, encrypt it with the client public key (which is also an expensive RSA operation), and transmit the encrypted key in the message (it occupies markup and requires Base64 operations). Enabling WSS 1.1 also enables encrypted headers.  


Algorithm Suite 

Specifies the algorithm suite required to perform cryptographic operations with symmetric or asymmetric key-based security tokens.  

See Algorithm Suite under Table 21 for more information.

Basic 128bit 

Security Header Layout 

Specifies the layout rule to apply when adding items to the security header. Options are Strict, Lax, Lax (Timestamp First), and Lax (Timestamp Last). 

See Security Header Layout under Table 21 for more information.


Require Client Certificate 

Specifies that a client certificate must be provided to the server for verification. 

If you are using a security mechanism with SSL, a client certificate will be required by the server both during its initial handshake and again during verification.  

Check box Selected indicates disabled. 

Require Signature Confirmation 

Specifies that the responder process the signature in the request. Select this option to reduce the risk of attacks when the WSS Version is 1.1 .  

Select the checkbox to enable.