test

Sun OpenSSO Enterprise 8.0 Administration Reference

Web Service Provider

The Web Service Provider agent profile describes the configuration that is used for validating web service requests from web service clients and securing web service responses from a web service provider. The name of the web service provider must be unique across all agents.

General

The following General attributes define basic web service provider properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the web service provider agent

Password Confirm

Confirm the password.

Status

Defines whether the web service provider agent will be Active or Inactive in the system. By default, it is set to Active, meaning that the agent will participate in validating web service requests from web service clients and securing service responses from a web service provider.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the web service provider agent.

Security

The following attributes define web service provider security attributes:

Security Mechanism

Defines the type of security credential that are used to validate the web service request. The type of security mechanism is part of the web service request from a web service client and is accepted by a web service provider. Choose from the following types:

Authentication Chain

Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming web service request's security token to generate OpenSSO Enterprise's authenticated SSOToken.

Token Conversion Type

Defines the type of token that will be converted when a web service provider requests a token conversion from the Security Token service. The token is converted to the specified SAML or SSOToken (session token) with the same identity, but with attribute definitions specific to the token type. This new token can be used by the web service provider making a web service call to another web service provider. The token types you can define are:

In order to use this attribute, any SAML token must be selected in the Security Mechanism attribute and any authentication chain defined for the web service provider.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the web service provider for further processing.

Private Key Type

Defines the key type used by the web service provider during the web service request signature verification process. The default value is PublicKey.

Liberty Service Type URN

The URN (Universal Resource Name) describes a Liberty service type that the web service provider will use for service lookups.

Credential for User Token

This attribute represents the username/password shared secrets that are used by the web service provider to validate a username security token from an incoming web service request. These credentials are compared against the credentials from the username security token from an incoming web service request.

SAML Configuration

The following attributes configure the Security Assertion Markup Language (SAML) for the web service provider:

SAML Attribute Mapping

This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.

SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.

SAML NameID Mapper Plugin

Defines the NameID mapper plug-in class that is used for SAML account mapping.

SAML Attributes Namespace

Defines the name space used for generating SAML attributes.

Include Memberships

If enabled, this attribute defines that the principal's membership must be included as a SAML attribute.

Signing and Encryption

The following attributes define signing and encryption configuration for web provider security:

Is Response Signed

When enabled, the web service provider signs the response using its X509 certificate.

Is Response Encrypted

When enabled, the web service response will be encrypted.

Is Request Signature Verified

When enabled, the web service request signature is verified.

Is Request Header Decrypted

When enabled, the web service client request's security header will be decrypted.

Is Request Decrypted

When enabled, the web service client request will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the wsp response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the web service response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Client

This attribute defines the public certificate key alias that is sued to encrypt the web service response or verify the signature of the web service request.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service response or decrypt the web service request.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

End Points

The following attributes define web service endpoints:

Web Service Proxy End Point

This attribute defines a web service end point to which the web service client is making a request. The end point is optional unless it is configured to use web security proxy.

Web Service End Point

This attribute defines a web service end point to which the web service client is making a request.

Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Kerberos principal as the owner of the generated Security token.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Key Tab File

This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:

hostname.HTTP.keytab

hostname is the hostname of the OpenSSO Enterprise instance.

Verify Kerberos Signature

If enabled, this attribute specifies that the Kerberos token is signed.