The Web Service Provider agent profile describes the configuration that is used for validating web service requests from web service clients and securing web service responses from a web service provider. The name of the web service provider must be unique across all agents.
The following General attributes define basic web service provider properties:
The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.
Defines the password for the web service provider agent
Confirm the password.
Defines whether the web service provider agent will be Active or Inactive in the system. By default, it is set to Active, meaning that the agent will participate in validating web service requests from web service clients and securing service responses from a web service provider.
Lists the basic LDAP properties, that uniquely defines the web service provider agent.
The following attributes define web service provider security attributes:
Defines the type of security credential that are used to validate the web service request. The type of security mechanism is part of the web service request from a web service client and is accepted by a web service provider. Choose from the following types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyBearerToken – Uses the Liberty-defined bearer token.
LibertySAMLToken – Uses the Liberty-defined SAML token.
LibertyX509Token – Uses the Liberty-defined X509 certificate.
SAML-HolderOfKey - Uses the SAML 1.1 assertion type Holder-Of-Key..
SAML-SenderVouches - Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey – Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches – Uses the SAML 2.0 assertion token type Sender Vouches.
UserNameToken – Uses a user name token.
UserNameToken-Plain – Uses a user name token with a clear text password.
X509Token – Uses the X509 certificate.
Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming web service request's security token to generate OpenSSO Enterprise's authenticated SSOToken.
Defines the type of token that will be converted when a web service provider requests a token conversion from the Security Token service. The token is converted to the specified SAML or SSOToken (session token) with the same identity, but with attribute definitions specific to the token type. This new token can be used by the web service provider making a web service call to another web service provider. The token types you can define are:
SAML 1.1 token
SAML2 token
SSOToken
In order to use this attribute, any SAML token must be selected in the Security Mechanism attribute and any authentication chain defined for the web service provider.
When enabled, this attribute defines that the SOAP security headers are preserved by the web service provider for further processing.
Defines the key type used by the web service provider during the web service request signature verification process. The default value is PublicKey.
The URN (Universal Resource Name) describes a Liberty service type that the web service provider will use for service lookups.
This attribute represents the username/password shared secrets that are used by the web service provider to validate a username security token from an incoming web service request. These credentials are compared against the credentials from the username security token from an incoming web service request.
The following attributes configure the Security Assertion Markup Language (SAML) for the web service provider:
This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.
SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.
Defines the NameID mapper plug-in class that is used for SAML account mapping.
Defines the name space used for generating SAML attributes.
If enabled, this attribute defines that the principal's membership must be included as a SAML attribute.
The following attributes define signing and encryption configuration for web provider security:
When enabled, the web service provider signs the response using its X509 certificate.
When enabled, the web service response will be encrypted.
When enabled, the web service request signature is verified.
When enabled, the web service client request's security header will be decrypted.
When enabled, the web service client request will be decrypted.
Defines the reference types used when the Security Token service signs the wsp response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used to encrypt the web service response.
Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.
The following attributes configure the keystore to be used for certificate storage and retrieval:
This attribute defines the public certificate key alias that is sued to encrypt the web service response or verify the signature of the web service request.
This attribute defines the private certificate key alias that is used to sign the web service response or decrypt the web service request.
This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:
Location of Key Store
Password of Key Store
Password of Key
The following attributes define web service endpoints:
This attribute defines a web service end point to which the web service client is making a request. The end point is optional unless it is configured to use web security proxy.
This attribute defines a web service end point to which the web service client is making a request.
Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the Kerberos principal as the owner of the generated Security token.
Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:
hostname.HTTP.keytab
hostname is the hostname of the OpenSSO Enterprise instance.
If enabled, this attribute specifies that the Kerberos token is signed.