SOAP binding supports the following authentication methods to protect interactions between SAML v2 entities:
Once basic authentication is set up to protect a SAML v2 SOAP endpoint, all entities communicating with this endpoint must configure three basic authentication-related attributes in the extended metadata as described in the following table.
Table 4–1 Securing SOAP Endpoint with Basic Authentication
Attribute |
Description |
---|---|
basicAuthOn |
Establishes that the SOAP endpoint is using basic authentication. Takes a value of true or false. |
basicAuthUser |
Defines the user allowed access to the protected SOAP endpoint in the original SAML v2 entity. |
basicAuthPassword |
Defines an encrypted password for the user. The password is encrypted using ampassword on the partner side. For information on ampassword, see Sun Java System Access Manager 7 2005Q4 Administration Guide. |
To modify the metadata, you must first export it to a file. Once you've modified the values of the applicable attributes, the metadata must be reloaded using the saml2meta command and the web container must be restarted. For more information, see The saml2meta Command-line Reference.
Secure Socket Layer/Transport Layer Security (SSL/TLS) can also be enabled to protect SOAP endpoints and secure communications between SAML v2 entities. When one SAML v2 entity initiates communication with a SAML v2 entity deployed in an SSL/TLS-enabled web container, the initiating entity is referred to as the SSL/TLS client and the replying entity is referred to as the SSL/TLS server.
For SSL/TLS server authentication (the server needs to present a certificate to the client), the following properties need to be set in the Virtual Machine for the Java™ platform (JVM™) running the SSL/TLS client:
-Djavax.net.ssl.trustStore |
Defines the full path to the file containing the server's CA certificate(s). |
-Djavax.net.ssl.trustStoreType |
Takes a value of JKS (Java Key Store). |
In addition, the client's CA certificate needs to be imported into the certificate store/database of the server's web container and marked as a trusted issuer of client certificates.
For SSL/TLS client authentication (the client needs to present a certificate to the server), the following properties need to be set in the JVM software running the SSL/TLS client:
-Djavax.net.ssl.keyStore |
Defines the full path to the keystore containing the client certificate and private key. This may be the same as that defined in Server Certificate Authentication. |
-Djavax.net.ssl.keyStoreType |
Takes a value of JKS. |
-Djavax.net.ssl.keyStorePassword |
Specifies the password to the keystore. |
On the SSL/TLS server side, the client's CA certificate needs to be imported into the web container's keystore and marked as a trusted issuer of client certificates.