Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Securing SOAP Binding

SOAP binding supports the following authentication methods to protect interactions between SAML v2 entities:

Basic Authentication

Once basic authentication is set up to protect a SAML v2 SOAP endpoint, all entities communicating with this endpoint must configure three basic authentication-related attributes in the extended metadata as described in the following table.

Table 4–1 Securing SOAP Endpoint with Basic Authentication


Attribute	Description
`basicAuthOn`	Establishes that the SOAP endpoint is using basic authentication. Takes a value of `true` or `false`.
`basicAuthUser`	Defines the user allowed access to the protected SOAP endpoint in the original SAML v2 entity.
`basicAuthPassword`	Defines an encrypted password for the user. The password is encrypted using `ampassword` on the partner side. For information on `ampassword`, see Sun Java System Access Manager 7 2005Q4 Administration Guide.

To modify the metadata, you must first export it to a file. Once you've modified the values of the applicable attributes, the metadata must be reloaded using the saml2meta command and the web container must be restarted. For more information, see The saml2meta Command-line Reference.

Secure Socket Layer/Transport Layer Security

Secure Socket Layer/Transport Layer Security (SSL/TLS) can also be enabled to protect SOAP endpoints and secure communications between SAML v2 entities. When one SAML v2 entity initiates communication with a SAML v2 entity deployed in an SSL/TLS-enabled web container, the initiating entity is referred to as the SSL/TLS client and the replying entity is referred to as the SSL/TLS server.

Server Certificate Authentication

For SSL/TLS server authentication (the server needs to present a certificate to the client), the following properties need to be set in the Virtual Machine for the Java™ platform (JVM™) running the SSL/TLS client:

`-Djavax.net.ssl.trustStore`	Defines the full path to the file containing the server's CA certificate(s).
`-Djavax.net.ssl.trustStoreType`	Takes a value of `JKS` (Java Key Store).

In addition, the client's CA certificate needs to be imported into the certificate store/database of the server's web container and marked as a trusted issuer of client certificates.

Client Certificate Authentication

For SSL/TLS client authentication (the client needs to present a certificate to the server), the following properties need to be set in the JVM software running the SSL/TLS client:

`-Djavax.net.ssl.keyStore`	Defines the full path to the keystore containing the client certificate and private key. This may be the same as that defined in Server Certificate Authentication.
`-Djavax.net.ssl.keyStoreType`	Takes a value of `JKS`.
`-Djavax.net.ssl.keyStorePassword`	Specifies the password to the keystore.

On the SSL/TLS server side, the client's CA certificate needs to be imported into the web container's keystore and marked as a trusted issuer of client certificates.