C Predefined Assertion Templates

This appendix describes the predefined assertion templates that you can use to construct your policies or copy to create new policies.

Note:

Oracle recommends that you do not edit the predefined assertion templates so that you will always have a known set of valid templates. You can, however, create a new assertion template from a predefined assertion template, or configure the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates".

This chapter contains the following sections:

• Security Assertion Templates

• Management Assertion Templates

• No Behavior Assertion Templates

Security Assertion Templates

The following sections describe the security assertion templates in more detail.

• Authentication Only Assertion Templates

• Message-Protection Only Assertion Templates

• Message Protection and Authentication Assertion Templates

• WS-Trust Assertion Templates

• Authorization Assertion Templates

• Supported Algorithm Suites

• Message Signing and Encryption Settings for Request, Response, and Fault Messages

You can jump to a specific assertion template description using the following links (listed alphabetically):

• oracle/binding_authorization_template

• oracle/binding_permission_authorization_template

• oracle/component_authorization_template

• oracle/component_permission_authorization_template

• oracle/security_log_template

• oracle/sts_trust_config_client_template

• oracle/wss_http_token_over_ssl_client_template or oracle/wss_http_token_over_ssl_service_template

• oracle/wss_http_token_client_template or oracle/wss_http_token_service_template

• oracle/wss_saml_token_bearer_over_ssl_client_template or oracle/wss_saml_token_bearer_over_ssl_service_template

• oracle/wss_saml20_token_bearer_over_ssl_client_template or oracle/wss_saml20_token_bearer_over_ssl_service_template

• oracle/wss_saml_token_over_ssl_client_template or oracle/wss_saml_token_over_ssl_service_template

• oracle/wss_saml20_token_over_ssl_client_template or oracle/wss_saml20_token_over_ssl_service_template

• oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template or oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template

• oracle/wss_username_token_over_ssl_client_template or oracle/wss_username_token_over_ssl_service_template

• oracle/wss_username_token_client_template or oracle/wss_username_token_service_template

• oracle/wss_username_token_over_ssl_client_template or oracle/wss_username_token_over_ssl_service_template

• oracle/wss10_message_protection_client_template or oracle/wss10_message_protection_service_template

• oracle/wss10_saml_token_client_template or oracle/wss10_saml_token_service_template

• oracle/wss10_saml20_token_client_template or oracle/wss10_saml20_token_service_template

• oracle/wss10_saml_token_with_message_protection_client_template or oracle/wss10_saml_token_with_message_protection_service_template

• oracle/wss10_saml20_token_with_message_protection_client_template or oracle/wss10_saml20_token_with_message_protection_service_template

• oracle/wss10_username_token_with_message_protection_client_template or oracle/wss10_username_token_with_message_protection_service_template

• oracle/wss10_x509_token_with_message_protection_client_template or oracle/wss10_x509_token_with_message_protection_service_template

• oracle/wss11_kerberos_token_client_template or oracle/wss11_kerberos_token_service_template

• oracle/wss11_kerberos_token_with_message_protection_client_template or oracle/wss11_kerberos_token_with_message_protection_service_template

• oracle/wss11_saml_token_with_message_protection_client_template or oracle/wss11_saml_token_with_message_protection_service_template

• oracle/wss11_saml20_token_with_message_protection_client_template or oracle/wss11_saml20_token_with_message_protection_service_template

• oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template or oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template

• oracle/wss11_sts_issued_saml_with_message_protection_client_template

• oracle/wss11_username_token_with_message_protection_client_template or oracle/wss11_username_token_with_message_protection_service_template

• oracle/wss11_x509_token_with_message_protection_client_template or oracle/wss11_x509_token_with_message_protection_service_template

Authentication Only Assertion Templates

Table C-1 summarizes the assertion templates that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header.

Table C-1 Authentication Only Assertion Templates

Client Template	Service Template	Authentication Transport	Authentication SOAP	Message Protection Transport	Message Protection SOAP
oracle/wss_http_token_client_template	oracle/wss_http_token_service_template	Yes	No	No	No
oracle/wss_username_token_client_template	oracle/wss_username_token_service_template	No	Yes	No	No
oracle/wss10_saml_token_client_template	oracle/wss10_saml_token_service_template	No	Yes	No	No
oracle/wss10_saml20_token_client_template	oracle/wss10_saml20_token_service_template	No	Yes	No	No
oracle/wss11_kerberos_token_client_template	oracle/wss11_kerberos_token_service_template	No	Yes	No	No

oracle/wss_http_token_client_template

The wss_http_token_client_template assertion template includes username and password credentials in the HTTP header. You can control whether one-way or two-way authentication is required.

Settings

Table C-2 lists the settings for the wss_http_token_client_template assertion template.

Table C-2 wss_http_token_client_template Settings

Name	Description	Default Value
Authentication Header—Mechanism	Authentication mechanism. Valid values include: basic—Client authenticates itself by transmitting the username and password. Note: It is recommended that you configure SSL when using basic authentication. For more information, see "Configuring Keystores for SSL". digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest. cert—Not supported in this release. Client authenticates itself by transmitting a certificate. custom—Not supported in this release. Custom authentication mechanism.	basic
Authentication Header—Header Name	Name of the authentication header.	None
Transport Security—Mutual Authentication Required	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	Disabled
Transport Security—Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Disabled

Configurations

Table C-3 lists the configuration properties and the default settings for the wss_http_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-3 wss_http_token_client_template Configurations

Name	Description
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—Not set Default—basic.credentials ContentType—Required Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss_http_token_service_template

The wss_http_token_service_template assertion template uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. You can control whether one-way or two-way authentication is required.

Settings

The settings for the wss_http_token_service_template are identical to those for the client version of the assertion template. See Table C-2 for information on the settings.

Configurations

Table C-4 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-4 wss_http_token_service_template Configurations

Name	Description
realm	HTTP Realm. Default settings: Value—Not set Default—owsm ContentType—Constant Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss_username_token_client_template

The wss_username_token_client_template assertion template includes authentication with username and password credentials in the WS-Security UsernameToken header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table C-5 lists the settings for the wss_username_token_client_template assertion template.

Table C-5 wss_username_token_client_template Settings

Name	Description	Default Value
Password Type	Type of password required. Valid values are: none—No password. plaintext—Password in clear text. digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest. Note: The plaintext type is not recommended when the token propagation occurs on an unsecure channel. However, if SSL is being used as the transport channel to secure a point-to-point connection between client and server, the plaintext type can be used as the channel takes care of protecting the password.	plaintext
Nonce Required	Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False
Creation Time Required	Flag that specifies whether a time stamp for the creation of the username token is required. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False

Configurations

Table C-6 lists the configuration properties and the default settings for the wss_username_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-6 wss_username_token_client_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—Not set Default—basic.credentials ContentType—Required Description—Not set

oracle/wss_username_token_service_template

The wss_username_token_service_template assertion template enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_service_template are identical to the client version of the assertion template. See Table C-5 for information on the settings.

Configurations

Table C-7 lists the configuration properties and the default settings for the wss_username_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-7 wss_username_token_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss10_saml_token_client_template

The wss10_saml_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.

Settings

Table C-8 lists the settings for the wss10_saml_token_client_template assertion template.

Table C-8 wss10_saml_token_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is 1.1.	1.1
Confirmation Type	Confirmation type. The only valid value is: sender-vouches—Uses the Sender Vouches SAML token for authentication.	sender-vouches
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName	unspecified

Configurations

Table C-9 lists the configuration properties and the default settings for the wss10_saml_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-9 wss10_saml_token_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss10_saml_token_service_template

The wss10_saml_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

Settings

The settings for the wss10_saml_token_service_template are identical to the client version of the assertion, with the exception that Name Identifier Format is not present. See Table C-8 for information on the settings.

Configurations

Table C-10 lists the configuration properties and the default settings for the wss10_saml_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-10 wss10_saml_token_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss10_saml20_token_client_template

The wss10_saml20_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.

Settings

Table C-11 lists the settings for the wss10_saml20_token_client_template assertion template.

Table C-11 wss10_saml20_token_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is 2.0.	2.0
Confirmation Type	Confirmation type. The only valid value is: sender-vouches—Uses the Sender Vouches SAML token for authentication.	sender-vouches
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName kerberos	unspecified

Configurations

Table C-12 lists the configuration properties and the default settings for the wss10_saml20_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-12 wss10_saml20_token_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss10_saml20_token_service_template

The wss10_saml20_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

Settings

The settings for the wss10_saml20_token_service_template are similar to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-11 for information on the settings.

Configurations

Table C-13 lists the configuration properties and the default settings for the wss10_saml20_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-13 wss10_saml20_token_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss11_kerberos_token_client_template

The wss11_kerberos_token_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table C-14 lists the settings for the wss11_kerberos_token_client_template assertion template.

Table C-14 wss11_kerberos_token_client_template Settings

Name	Description	Default Value
Kerberos Token Type	Type of Kerberos token. The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API).	gss-apreq-v5

Configurations

Table C-15 lists the configuration properties and the default settings for the wss11_kerberos_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-15 wss11_kerberos_token_client_template Configurations

Name	Description
service.principal.name	Kerberos principal name that identifies the service. Default settings: Value—Not set Default—HOST/localhost@EXAMPLE.COM ContentType—Required Description—Not set

oracle/wss11_kerberos_token_service_template

The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_service_template are identical to the client version of the assertion template. See Table C-14 for information on the settings.

Configurations

Table C-16 lists the configuration properties and the default settings for the wss11_kerberos_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-16 wss11_kerberos_token_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

Message-Protection Only Assertion Templates

Table C-17 summarizes the assertion templates that enforce message protection only, and indicates whether the token is inserted at the transport layer or SOAP header.

Table C-17 Message-Protection Only Assertion Templates

Client Template	Service Template	Authentication Transport	Authentication SOAP	Message Protection Transport	Message Protection SOAP
oracle/wss10_message_protection_client_template	oracle/wss10_message_protection_service_template	No	No	No	Yes
oracle/wss11_message_protection_client_template	oracle/wss11_message_protection_service_template	No	No	No	Yes

oracle/wss10_message_protection_client_template

The wss10_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table C-18 lists the settings for the wss10_message_protection_client_template assertion template.

Table C-18 wss10_message_protection_client_template Settings

Name	Description	Default Value
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Sign Key Reference Mechanism	Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Encryption Key Reference Mechanism	Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-19 lists the configuration properties and the default settings for the wss10_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-19 wss10_message_protection_client_template Configurations

Name	Description
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss10_message_protection_service_template

The wss10_message_protection_service_template assertion template provides message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_message_protection_service_template are identical to the client version of the assertion template. See Table C-18 for information on the settings.

Configurations

Table C-20 lists the configuration properties and the default settings for the wss10_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-20 wss10_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss11_message_protection_client_template

The wss11_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

Table C-21 lists the settings for the wss11_message_protection_client_template assertion template.

Table C-21 wss11_message_protection_client_template Settings

Name	Description	Default Value
Confirm Signature	Flag that specifies whether to send a signature confirmation back to the client.	True
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead.	thumbprint
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-22 lists the configuration properties and the default settings for the wss11_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-22 wss11_message_protection_client_template Configurations

Name	Description
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss11_message_protection_service_template

The wss11_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

The settings for the wss11_message_protection_service_template are identical to the client version of the assertion template. See Table C-21 for information on the settings.

Configurations

Table C-23 lists the configuration properties and the default settings for the wss11_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-23 wss11_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

Message Protection and Authentication Assertion Templates

Table C-24 summarizes the assertion templates that enforce both message protection and authentication, and indicates whether the token is inserted at the transport layer or SOAP header.

Table C-24 Message Protection and Authentication Assertion Templates

Client Template	Service Template	Authentication Transport	Authentication SOAP	Message Protection Transport	Message Protection SOAP
oracle/wss_http_token_over_ssl_client_template	oracle/wss_http_token_over_ssl_service_template	Yes	No	Yes	No
oracle/wss_saml_token_bearer_over_ssl_client_template	oracle/wss_saml_token_bearer_over_ssl_service_template	No	Yes	Yes	No
oracle/wss_saml20_token_bearer_over_ssl_client_template	oracle/wss_saml20_token_bearer_over_ssl_service_template	No	Yes	Yes	No
oracle/wss_saml_token_over_ssl_client_template	oracle/wss_saml_token_over_ssl_service_template	No	Yes	Yes	No
oracle/wss_saml20_token_over_ssl_client_template	oracle/wss_saml20_token_over_ssl_service_template	No	Yes	Yes	No
oracle/wss_username_token_over_ssl_client_template	oracle/wss_username_token_over_ssl_service_template	No	Yes	Yes	No
oracle/wss10_saml_hok_token_with_message_protection_client_template	oracle/wss10_saml_hok_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss10_saml_token_with_message_protection_client_template	oracle/wss10_saml_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss10_saml20_token_with_message_protection_client_template	oracle/wss10_saml20_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss10_username_token_with_message_protection_client_template	oracle/wss10_username_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss10_x509_token_with_message_protection_client_template	oracle/wss10_x509_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss11_kerberos_token_with_message_protection_client_template	oracle/wss11_kerberos_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss11_saml_token_with_message_protection_client_template	oracle/wss11_saml_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss11_saml20_token_with_message_protection_client_template	oracle/wss11_saml20_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss11_username_token_with_message_protection_client_template	oracle/wss11_username_token_with_message_protection_service_template	No	Yes	No	Yes
oracle/wss11_x509_token_with_message_protection_client_template	oracle/wss11_x509_token_with_message_protection_service_template	No	Yes	No	Yes

oracle/wss_http_token_over_ssl_client_template

The wss_http_token_over_ssl_client_template assertion template includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store.

Settings

Table C-25 lists the settings for the wss_http_token_over_ssl_client_template assertion template.

Table C-25 wss_http_token_over_ssl_client_template Settings

Name	Description	Default Value
Authentication Header—Mechanism	Authentication mechanism. Valid values include: basic—Client authenticates itself by transmitting the username and password. Note: It is recommended that you configure SSL when using basic authentication. For more information, see "Configuring Keystores for SSL". digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest. cert—Not supported in this release. Client authenticates itself by transmitting a certificate. custom—Not supported in this release. Custom authentication mechanism.	basic
Authentication Header—Header Name	Name of the authentication header.	None
Transport Security—Mutual Authentication Required	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	Disabled
Transport Security—Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Disabled

Configurations

Table C-26 lists the configuration properties and the default settings for the wss_http_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-26 wss_http_token_over_ssl_client_template Configurations

Name	Description
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—Not set Default—basic.credentials ContentType—Required Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss_http_token_over_ssl_service_template

The wss_http_token_over_ssl_service_template assertion template extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss_http_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table C-25 for information on the settings.

Configurations

Table C-27 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-27 wss_http_token_over_ssl_service_template Configurations

Name	Description
realm	HTTP Realm. Default settings: Value—Not set Default—owsm ContentType—Constant Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss_saml_token_bearer_over_ssl_client_template

The wss_saml_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table C-28 lists the settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.

Table C-28 wss_saml_token_bearer_over_ssl_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 1.1.	1.1
Confirmation Type	Confirmation type. The only valid value is: bearer.	bearer
Is Signed	Flag that specifies whether the SAML token is signed.	False
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName	unspecified
Transport Security—Mutual Authentication Required	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	Disabled
Transport Security—Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Disabled

Configurations

Table C-29 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-29 wss_saml_token_bearer_over_ssl_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Null. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—true ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss_saml_token_bearer_over_ssl_service_template

The wss_saml_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the wss_saml_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-28 for information on the settings.

Configurations

Table C-30 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-30 wss_saml_token_bearer_over_ssl_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss_saml20_token_bearer_over_ssl_client_template

The wss_saml20_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table C-31 lists the settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.

Table C-31 wss_saml20_token_bearer_over_ssl_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 2.0.	2.0
Confirmation Type	Confirmation type. The only valid value is: bearer.	bearer
Is Signed	Flag that specifies whether the SAML token is signed.	False
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName kerberos	unspecified
Transport Security—Mutual Authentication Required	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	Disabled
Transport Security—Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Disabled

Configurations

Table C-32 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-32 wss_saml20_token_bearer_over_ssl_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss_saml20_token_bearer_over_ssl_service_template

The wss_saml20_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-31 for information on the settings.

Configurations

Table C-33 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-33 wss_saml20_token_bearer_over_ssl_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss_saml_token_over_ssl_client_template

The wss_saml_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

Table C-34 lists the settings for the wss_saml_token_over_ssl_client_template assertion template.

Table C-34 wss_saml_token_over_ssl_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 1.1.	1.1
Confirmation Type	Confirmation type. The only valid value is: sender-vouches—Uses the Sender Vouches SAML token for authentication.	sender-vouches
Is Signed	Flag that specifies whether the SAML token is signed. The only valid value for this policy is True.	True
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName	unspecified
Transport Security—Mutual Authentication Required	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	Enabled
Transport Security—Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Disabled

Configurations

Table C-35 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-35 wss_saml_token_over_ssl_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss_saml_token_over_ssl_service_template

The wss_saml_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

The settings for the wss_saml_token_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-34 for information on the settings.

Configurations

Table C-36 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-36 wss_saml_token_over_ssl_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss_saml20_token_over_ssl_client_template

The wss_saml20_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

Table C-37 lists the settings for the wss_saml20_token_over_ssl_client_template assertion template.

Table C-37 wss_saml20_token_over_ssl_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 2.0.	2.0
Confirmation Type	Confirmation type. The only valid value is: sender-vouches—Uses the Sender Vouches SAML token for authentication.	sender-vouches
Is Signed	Flag that specifies whether the SAML token is signed. The only valid value for this policy is True.	True
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName kerberos	unspecified
Transport Security—Mutual Authentication Required	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	Enabled
Transport Security—Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Disabled

Configurations

Table C-38 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-38 wss_saml20_token_over_ssl_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—Not set Default—true ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss_saml20_token_over_ssl_service_template

The wss_saml20_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

The settings for the wss_saml20_token_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-37 for information on the settings.

Configurations

Table C-39 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-39 wss_saml20_token_over_ssl_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss_username_token_over_ssl_client_template

The wss_username_token_over_ssl_client_template assertion template includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table C-40 lists the settings for the wss_username_token_over_ssl_client_template assertion template.

Table C-40 wss_username_token_over_ssl_client_template Settings

Name	Description	Default Value
Password Type	Type of password required. Valid values are: none—No password. plaintext—Password in clear text. digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest. Note: The plaintext type is not recommended when the token propagation occurs on an unsecure channel. However, if SSL is being used as the transport channel to secure a point-to-point connection between client and server, the plaintext type can be used as the channel takes care of protecting the password.	plaintext
Creation Time Required	Flag that specifies whether a time stamp for the creation of the username token is required. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False
Nonce Required	Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False
Transport Security—Mutual Authentication Required	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—Two-way authentication. The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	Disabled
Transport Security—Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Disabled

Configurations

Table C-41 lists the configuration properties and the default settings for the wss_username_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-41 wss_username_token_over_ssl_client_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store. Default settings: Value—Not set Default—basic.credentials ContentType—Required Description—Not set

oracle/wss_username_token_over_ssl_service_template

The wss_username_token_over_ssl_service_template assertion template uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table C-40 for information on the settings.

Configurations

Table C-42 lists the configuration properties and the default settings for the wss_username_token_over_ssl­_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-42 wss_username_token_over_ssl_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver. ContentType—Constant Description—Not set

oracle/wss10_saml_hok_token_with_message_protection_client_template

The wss10_saml_hok_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

Settings

Table C-43 lists the settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.

Table C-43 wss10_saml_hok_token_with_message_protection_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 1.1.	1.1
Confirmation Type	Confirmation type. The only valid value is: holder-of-key.	holder-of-key
Is Signed	Flag that specifies whether the SAML token is signed. The only valid value is: True.	True
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName	unspecified
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	ski
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	direct
Recipient Sign Key Reference Mechanism	Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Encryption Key Reference Mechanism	Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-44 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-44 wss10_saml_hok_token_with_message_protection_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—orakey Default—Not set ContentType—Required Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—www.oracle.com Default—Not set ContentType—Optional Description—Not set
user.roles.include	User roles to be included. Default settings: Value—false Default—Not set ContentType—Optional Description—Not set
saml.assertion.filename	Name of the of the SAML token file. Default settings: Value—temp Default—Not set ContentType—Optional Description—Not set

oracle/wss10_saml_hok_token_with_message_protection_service_template

The wss10_saml_hok_token_with_message_protection_client_template assertion template enforces message-level protection and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_saml_hok_token_with_message_protection_service_template are identical to those for the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-43 for information on the settings.

Configurations

Table C-45 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-45 wss10_saml_hok_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss10_saml_token_with_message_protection_client_template

The wss10_saml_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

Table C-46 lists the settings for the wss10_saml_token_with_message_protection_client_template assertion template.

Table C-46 wss10_saml_token_with_message_protection_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 1.1.	1.1
Confirmation Type	Confirmation type. The only valid value is: sender-vouches.	sender-vouches
Is Signed	Flag that specifies whether the SAML token is signed. The only valid value for this policy is: True.	True
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName	unspecified
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Sign Key Reference Mechanism	Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Encryption Key Reference Mechanism	Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-47 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-47 wss10_saml_token_with_message_protection_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—null ContentType—Optional Description—Not set

oracle/wss10_saml_token_with_message_protection_service_template

The wss10_saml_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

The settings for the wss10_saml_token_with_message_protection_service_template are identical to those for client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-46 for information on the settings.

Configurations

Table C-48 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-48 wss10_saml_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss10_saml20_token_with_message_protection_client_template

The wss10_saml20_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

Table C-49 lists the settings for the wss10_saml20_token_with_message_protection_client_template assertion template.

Table C-49 wss10_saml20_token_with_message_protection_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 2.0.	2.0
Confirmation Type	Confirmation type. The only valid value is: sender-vouches.	sender-vouches
Is Signed	Flag that specifies whether the SAML token is signed. The only valid value for this policy is: True.	True
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName kerberos	unspecified
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Sign Key Reference Mechanism	Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Encryption Key Reference Mechanism	Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-50 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-50 wss10_saml20_token_with_message_protection_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set
user.roles.include	User roles to be included. Default settings: Value—Not set Default—false ContentType—Optional Description—Not set
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
attesting.mapping.attribute	The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies. Default settings: Value—DN Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss10_saml20_token_with_message_protection_service_template

The wss10_saml20_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

The settings for the wss10_saml20_token_with_message_protection_service_template are similar to those of the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-49 for information on the settings.

Configurations

Table C-51 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-51 wss10_saml20_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss10_username_token_with_message_protection_client_template

The wss10_username_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials are included in the WS-Security UsernameToken header in the outbound SOAP message.

The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

Settings

Table C-52 lists the settings for the wss10_username_token_with_message_protection_client_template assertion template.

Table C-52 wss10_username_token_with_message_protection_client_template Settings

Name	Description	Default Value
Password Type	Type of password required. Valid values are: none—No password. plaintext—Password in clear text. digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.	plaintext
Nonce Required	Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False
Creation Time Required	Flag that specifies whether a time stamp for the creation of the username token is required. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False
Is Signed	Flag that specifies whether the username is signed.	True
Is Encrypted	Flag that specifies whether the username is encrypted.	True
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Sign Key Reference Mechanism	Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Encryption Key Reference Mechanism	Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-53 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-53 wss10_username_token_with_message_protection_client_template Configurations

Name	Description
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—Not set Default—basic.credentials ContentType—Required Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set

oracle/wss10_username_token_with_message_protection_service_template

The wss10_username_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

Settings

The settings for the wss10_username_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table C-52 for information on the settings.

Configurations

Table C-54 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-54 wss10_username_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss10_x509_token_with_message_protection_client_template

The wss10_x509_token_with_message_protection_client template assertion template provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table C-55 lists the settings for the wss10_x509_token_with_message_protection_client template assertion template.

Table C-55 wss10_x509_token_with_message_protection_client_template Settings

Name	Description	Default Value
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Sign Key Reference Mechanism	Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Recipient Encryption Key Reference Mechanism	Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-56 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-56 wss10_x509_token_with_message_protection_client_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set

oracle/wss10_x509_token_with_message_protection_service_template

The wss10_x509_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_x509_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table C-55 for information on the settings.

Configurations

Table C-57 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-57 wss10_x509_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss11_kerberos_token_with_message_protection_client_template

The wss11_kerberos_token_with_message_protection_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table C-58 lists the settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.

Table C-58 wss11_kerberos_token_with_message_protection_client_template Settings

Name	Description	Default Value
Kerberos Token Type	Type of Kerberos token. The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API).	gss-apreq-v5
Confirm Signature	Flag that specifies whether to send a signature confirmation back to the client.	True
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	direct
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	TripleDes
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-59 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-59 wss11_kerberos_token_with_message_protection_client_template Configurations

Name	Description
service.principal.name	Kerberos principal name that identifies the service. Default settings: Value—HOST/localhost@EXAMPLE.COM Default—Not set ContentType—Required Description—Not set

oracle/wss11_kerberos_token_with_message_protection_service_template

The wss11_kerberos_token_with_message_protection_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table C-58 for information on the settings.

Configurations

None required.

oracle/wss11_saml_token_with_message_protection_client_template

The wss11_saml_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

Settings

Table C-60 lists the settings for the wss11_saml_token_with_message_protection_client_template assertion template.

Table C-60 wss11_saml_token_with_message_protection_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 1.1.	None
Confirmation Type	Confirmation type. Valid values include: sender-vouches.	sender-vouches.
Is Signed	Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: True.	True
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName	unspecified
Confirm Signature	Flag that specifies whether to send a signature confirmation back to the client.	True
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	thumbprint
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-61 lists the configuration properties and the default settings for the wss11_saml_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-61 wss11_saml_token_with_message_protection_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss11_saml_token_with_message_protection_service_template

The wss11_saml_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_saml_token_with_message_protection_service_template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-60 for information on the settings.

Configurations

Table C-62 lists the configuration properties and the default settings for the wss11_saml_token__with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-62 wss11_saml_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss11_saml20_token_with_message_protection_client_template

The wss11_saml20_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

Settings

Table C-63 lists the settings for the wss11_saml20_token_with_message_protection_client_template assertion template.

Table C-63 wss11_saml20_token_with_message_protection_client_template Settings

Name	Description	Default Value
Version	SAML version. The only valid value is: 2.0.	2.0
Confirmation Type	Confirmation type. Valid values include: sender-vouches.	sender-vouches.
Is Signed	Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: True.	True
Is Encrypted	Flag that specifies whether the SAML token is encrypted.	False
Name Identifier Format	Specifies the type of format to be used for the name identifier. Specify one of the following values: unspecified emailAddress X509SubjectName WindowsDomainQualifiedName kerberos	unspecified
Confirm Signature	Flag that specifies whether to send a signature confirmation back to the client.	True
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	thumbprint
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-64 lists the configuration properties and the default settings for the wss11_saml20_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-64 wss11_saml20_token_with_message_protection_client_template Configurations

Name	Description
user.attributes	User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and subject.precedence is set to true. Default settings: Value—Not set Default—Not set. Attribute names should be comma separated. ContentType—Optional Description—Not set A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement. The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server". If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
saml.issuer.name	Issuer URI. Default settings: Value—Not set Default—www.oracle.com ContentType—Optional Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—basic.credentials Default—Not set ContentType—Optional Description—Not set
subject.precedence	Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. Default settings: Value—true Default—Not set ContentType—Optional Description—Not set
attesting.mapping.attribute	The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies. Default settings: Value—DN Default—Not set ContentType—Optional Description—Not set
saml.audience.uri	Represents the relying party, as a comma-separated URI. This field accepts wildcards. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss11_saml20_token_with_message_protection_service_template

The wss11_saml20_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_saml_token_with_message_protection_service_template are similar to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-62 for information on the settings.

Configurations

Table C-65 lists the configuration properties and the default settings for the wss11_saml20_token__with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-65 wss11_saml20_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
saml.trusted.issuers	A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss11_username_token_with_message_protection_client_template

The ws11_username_token_with_message_protection_client_template assertion template includes authentication and message protection in accordance with the WS-Security v1.1 standard.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

Settings

Table C-66 lists the settings for the wss11_username_token_with_message_protection_client_template assertion template.

Table C-66 wss11_username_token_with_message_protection_client_template Settings

Name	Description	Default Value
Password Type	Type of password required. Valid values are: none—No password. plaintext—Password in clear text. digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.	plaintext
Nonce Required	Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False
Creation Time Required	Flag that specifies whether a time stamp for the creation of the username token is required. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.	False
Is Signed	Flag that specifies whether the username is signed.	True
Is Encrypted	Flag that specifies whether the username is encrypted.	True
Confirm Signature	Flag that specifies whether to send a signature confirmation back to the client.	True
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead.	thumbprint
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic256
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-67 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-67 wss11_username_token_with_message_protection_client_template Configurations

Name	Description
csf-key	Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings: Value—Not set Default—basic.credentials ContentType—Required Description—Not set
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set

oracle/wss11_username_token_with_message_protection_service_template

The ws11_username_token_with_message_protection_service_template assertion template enforces authentication and message protection in accordance with the WS-Security v1.1 standard.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

Settings

The settings for the wss11_username_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table C-66 for information on the settings.

Configurations

Table C-68 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-68 wss11_username_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss11_x509_token_with_message_protection_client_template

The wss11_x509_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Credentials are included in the WS-Security binary security token of the SOAP message. ]

Settings

Table C-69 lists the settings for the wss11_x509_token_with_message_protection_client_template assertion template.

Table C-69 wss11_x509_token_with_message_protection_client_template Settings

Name	Description	Default Value
Confirm Signature	Flag that specifies whether to send a signature confirmation back to the client.	True
Sign Key Reference Mechanism	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)	direct
Encryption Key Reference Mechanism	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	thumbprint
Algorithm Suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
Include Timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	Enabled
Request Message Settings	See Table C-91.	N/A
Response Message Settings	See Table C-91.	N/A
Fault Message Settings	See Table C-91.	N/A

Configurations

Table C-70 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-70 wss11_x509_token_with_message_protection_client_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set

oracle/wss11_x509_token_with_message_protection_service_template

The wss11_x509_token_with_message_protection_service_template assertion template enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. The certificate is extracted from the WS-Security binary security token header, and the credentials in the certificate are validated against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_x509_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table C-69 for information on the settings.

Configurations

Table C-71 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-71 wss11_x509_token_with_message_protection_service_template Configurations

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

WS-Trust Assertion Templates

Table C-72 summarizes the WS-Trust assertion templates.

In this release, you can use Fusion Middleware Control to directly edit the assertion template text, but the Settings and Configurations pages are not available.

Table C-72 WS-Trust Assertion Templates

Name	Description
oracle/sts_trust_config_client_template	STS configuration information assertion template that is used to invoke STS for token exchange.
oracle/sts_trust_config_service_template	STS configuration information assertion template that is used to invoke STS for token exchange.
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template	SOAP binding-level client assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection.
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template	SOAP binding-level service assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection.
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template	WS-Security 1.1 issued token SAML HOK token with certificates client assertion template. Provides authentication and message protection using Basic128.
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template	WS-Security 1.1 issued token SAML HOK token with certificates service assertion template. Provides authentication and message protection using Basic128.
oracle/wss11_sts_issued_saml_with_message_protection_client_template	WS-Security 1.1 issued token SAML sender voucher with certificates. Provides authentication and message protection using Basic128.

oracle/sts_trust_config_client_template

The oracle/sts_trust_config_client_template invokes the STS for token exchange.

Settings

Table C-73 lists the settings for the oracle/sts_trust_config_client_template assertion template.

Table C-73 oracle/sts_trust_config_client_template Settings

Name	Description	Default Value
policy-reference-uri	The client policy URI that will be used by the client to communicate with the STS. The policy you choose depends on the authentication requirements of the STS, as identified in its WSDL.	oracle/wss10_username_token_with_message_protection_client_policy
port-endpoint	The endpoint of the STS Web service. For a WSDL 2.0 STS, the format is specified as target-namespace#wsdl.endpoint(service-name/port-name). For example, http://samples.otn.com.LoanFlow#wsdl.endpoint(LoanFlowService/LoanFlowPort For a WSDL 1.1 STS, the format is specified as targetnamespace#wsdl11.endpoint(servicename/portname). For example, http://samples.otn.com.LoanFlow#wsdl11.endpoint(LoanFlowService/LoanFlowPort).	None
port-uri	The actual endpoint URI of the STS port. For example. http://host:port/context-root/service1.	None
sts-keystore-recipient-alias	The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.	sts-csf-key
wsdl-uri	The actual endpoint URI of the WSDL.	None

Configurations

Table C-74 lists the configuration properties and the default settings for the oracle/sts_trust_config_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-74 oracle/sts_trust_config_client_template Properties

Name	Description
role	SOAP role. Default settings: Value—ultimateReceiver Default—Not set ContentType—Constant Description—Not set

oracle/sts_trust_config_service_template

The oracle/sts_trust_config_service_template invokes the STS for token exchange.

Settings

Table C-73 lists the settings for the oracle/sts_trust_config_service_template assertion template.

Table C-75 oracle/sts_trust_config_service_template Settings

Name	Description	Default Value
port-uri	The actual endpoint URI of the STS port. For example. http://host:port/context-root/service1.	None
wsdl-uri	The actual endpoint URI of the WSDL.	None

Configurations

Table C-74 lists the configuration properties and the default settings for the oracle/sts_trust_config_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-76 oracle/sts_trust_config_service_template Properties

Name	Description
role	SOAP role. Default settings: Value—Not set Default—ultimateReceiver ContentType—Constant Description—Not set

oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template

This template inserts a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL.

Settings

Table C-77 lists the settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template.

Table C-77 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Settings

Name	Description	Default Value
require-applies-to	Optional element in the RST. If present, Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS.	True
require-client-entropy	If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.	Applies only to HOK.
require-server-entropy	If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.	Applies only to HOK.
trust -version	WS-Trust version.	1.3
require-external-reference	Indicates whether external reference to the token is required.	True
require-internal-reference	Indicates whether internal reference to the token is required.	True
use-derived-keys	Indicates whether derived keys are required.	False
token-type	SAML token type. The only valid value is: 1.1.	SAML11
key-type	Key type. The only valid value is: bearer.	bearer
mutual-auth	Flag that specifies whether two-way authentication is required. Valid values include: Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service. Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.	False
include-timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	True

Configurations

Table C-78 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-78 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Properties

Name	Description
sts.auth.user.csf.key	You can override this property. Use to configure username/password to authenticate to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to a username-based policy, then you configure the sts.auth.user.csf.key property to specify a username/password to authenticate to the STS.
sts.auth.x509.csf.key	You can override this property. Use to configure X509 certificate for authenticating to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to an x509-based policy, then you configure the sts.auth.x509.csf.key property to specify the X509 certificate for authenticating to the STS.
on.behalf.of	You can override this property. Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false. When set to true and sts.auth.on.behalf.of.csf.key is configured, then it will be given preference and the identity established using that CSF key will be send in the on behalf of. Otherwise, if the subject is already established, then the username from the subject will be sent as onBehalfOf token. If sts.auth.on.behalf.of.csf.key is not set and the subject does not exist, on.behalf.of is treated as a token exchange for the requestor and not for another entity. It is not included in an onBehalfOf element in the request.
sts.auth.on.behalf.of.csf.key	You can override this property. Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists).
sts.auth.service.principal.name	Principal name for the Web service that needs to be protected. It is of the format <host>/<machine name>@<REALM NAME>. For example, HTTP/mymachine@MYREALM.COM.
sts.auth.keytab.location	Location of the client's keytab file.
sts.keystore.recipient.alias	The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.
sts.auth.caller.principal.name	Client's principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. It is of the format <username>@<REALM NAME>.

oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template

This template authenticates a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL

Settings

Table C-77 lists the settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template assertion template.

Configurations

Table C-79 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-79 oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template Properties

Name	Description
role	SOAP role. Default settings: Value—ultimateReceiver Default—Not set ContentType—Constant Description—Not set

oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template

This template inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.

Settings

Table C-80 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template.

Table C-80 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Settings

Name	Description	Default Value
require-applies-to	Optional element in the RST. If present, Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS.	True
require-client-entropy	If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.	True
equire-server-entropy	If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.	True
trust -version	WS-Trust version.	1.3
require-external-reference	Indicates whether external reference to the token is required.	True
require-internal-reference	Indicates whether internal reference to the token is required.	True
use-derived-keys	Indicates whether derived keys are required.	False
token-type	SAML token type. The only valid values are: 1.1 and 2.0.	SAML11 and SAML20
key-type	Key type.	symmetric
is-signed	Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: True.	True
is-encrypted	Flag that specifies whether the SAML token is encrypted.	False
confirm-signature	Flag that specifies whether to send a signature confirmation back to the client.	True
sign-key-ref-mech	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)	Thumbprint
enc-key-ref-mech	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	Thumbprint
encrypt-signature	Flag that specifies whether the signature is encrypted.	False
sign-then-encrypt	Flag that specifies whether the request is signed and then encrypted.	True
algorithm-suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
include-timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	True

Configurations

Table C-81 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-81 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Properties

Name	Description
sts.auth.user.csf.key	You can override this property. Use to configure username/password to authenticate to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to a username-based policy, then you configure the sts.auth.user.csf.key property to specify a username/password to authenticate to the STS.
sts.auth.x509.csf.key	You can override this property. Use to configure X509 certificate for authenticating to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to an x509-based policy, then you configure the sts.auth.x509.csf.key property to specify the X509 certificate for authenticating to the STS.
on.behalf.of	You can override this property. Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false. When set to true and sts.auth.on.behalf.of.csf.key is configured, then it will be given preference and the identity established using that CSF key will be send in the on behalf of. Otherwise, if the subject is already established, then the username from the subject will be sent as onBehalfOf token. If sts.auth.on.behalf.of.csf.key is not set and the subject does not exist, on.behalf.of is treated as a token exchange for the requestor and not for another entity. It is not included in an onBehalfOf element in the request.
sts.auth.on.behalf.of.csf.key	You can override this property. Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists).
sts.keystore.recipient.alias	The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType— - Constant—Property cannot be overridden. - Required—Property is required and can be overridden. - Optional—Property is optional and can be overridden. This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides". Description—Not set
keystore.enc.csf.key	If you set this value you then can override keystore.enc.csf.key, as described in "Attaching Web Service Policies Permitting Overrides". If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores.
sts.auth.service.principal.name	Principal name for the Web service that needs to be protected. It is of the format <host>/<machine name>@<REALM NAME>. For example, HTTP/mymachine@MYREALM.COM.
sts.auth.keytab.location	Location of the client's keytab file.
sts.auth.caller.principal.name	Client's principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. It is of the format <username>@<REALM NAME>.

oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template

This template authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies.

Settings

Table C-80 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template.

Configurations

Table C-82 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-82 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template Properties

Name	Description
role	SOAP role. Default settings: Value—ultimateReceiver Default—Not set ContentType—Constant Description—Not set
keystore.enc.csf.key	If you set this value you then can override keystore.enc.csf.key, as described in "Attaching Web Service Policies Permitting Overrides". If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores. Default settings: Value—Not set Default—Not set ContentType—Optional Description—Not set

oracle/wss11_sts_issued_saml_with_message_protection_client_template

This template inserts a SAML sender vouches assertion issued by a trusted STS (Security Token Service). Messages are protected using the client's private key.

Settings

Table C-83 lists the settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template.

Table C-83 wss11_sts_issued_saml_with_message_protection_client_template Settings

Name	Description	Default Value
require-applies-to	Optional element in the RST. If present, Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS.	True
require-client-entropy	If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.	Applies to HOK only.
equire-server-entropy	If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.	Applies to HOK only.
trust-version	WS-Trust version.	1.3
require-external-reference	Indicates whether external reference to the token is required.	True
require-internal-reference	Indicates whether internal reference to the token is required.	True
use-derived-keys	Indicates whether derived keys are required.	False
token-type	SAML token type. The only valid value is: 1.1.	SAML11
is-signed	Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: True.	True
is-encrypted	Flag that specifies whether the SAML token is encrypted.	False
confirm-signature	Flag that specifies whether to send a signature confirmation back to the client.	True
sign-key-ref-mech	Mechanism used when signing the request. Valid values include: direct—X.509 Token is included in the request. ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it. issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it. thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)	Direct
enc-key-ref-mech	Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.	Thumbprint
encrypt-signature	Flag that specifies whether the signature is encrypted	False
sign-then-encrypt	Flag that specifies whether the request is signed and then encrypted.	True
algorithm-suite	Algorithm suite used for message protection. See "Supported Algorithm Suites".	Basic128
include-timestamp	Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.	True

Configurations

Table C-84 lists the configuration properties and the default settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".

For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

Table C-84 oracle/wss11_sts_issued_saml_with_message_protection_client_template Properties

Name	Description
sts.auth.user.csf.key	You can override this property. Use to configure username/password to authenticate to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to a username-based policy, then you configure the sts.auth.user.csf.key property to specify a username/password to authenticate to the STS.
sts.auth.x509.csf.key	You can override this property. Use to configure X509 certificate for authenticating to the STS. If policy-reference-uri in the client "oracle/sts_trust_config_client_template" points to an x509-based policy, then you configure the sts.auth.x509.csf.key property to specify the X509 certificate for authenticating to the STS.
on.behalf.of	You can override this property. Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false. When set to true and sts.auth.on.behalf.of.csf.key is configured, then it will be given preference and the identity established using that CSF key will be send in the on behalf of. Otherwise, if the subject is already established, then the username from the subject will be sent as onBehalfOf token. If sts.auth.on.behalf.of.csf.key is not set and the subject does not exist, on.behalf.of is treated as a token exchange for the requestor and not for another entity. It is not included in an onBehalfOf element in the request.
sts.auth.on.behalf.of.csf.key	You can override this property. Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists).
sts.keystore.recipient.alias	The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.
keystore.recipient.alias	Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings: Value—Not set Default—orakey ContentType—Required Description—Not set
keystore.enc.csf.key	If you set this value you then can override keystore.enc.csf.key, as described in "Attaching Web Service Policies Permitting Overrides". If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores.

Authorization Assertion Templates

Table C-85 summarizes assertion templates that are used for authorization. Each authorization assertion template must follow an authentication assertion template.

Table C-85 Authorization Assertion Templates

Service Template	Description
oracle/binding_authorization_template	Provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.
oracle/binding_permission_authorization_template	Provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level.
oracle/component_authorization_template	Provides simple role-based authorization for the request based on the authenticated subject at the SOA component level.
oracle/component_permission_authorization_template	Provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level.

oracle/binding_authorization_template

The binding_authorization_template assertion template provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion template.

Settings

Table C-86 lists the settings for the binding_authorization_template assertion template.

Table C-86 binding_authorization_template Settings

Name	Description	Default Value
Constraint Pattern	Expression that represents the constraints against which authorization checks are performed. The constraints expression is specified using the following two messageContext properties: messageContext.authenticationMethod—Determines the authentication method used to authenticate the user. Valid value is SAML_SV. messageContext.requestOrigin—Determines whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP server administrator has added a custom VIRTUAL_HOST_TYPE header to the request. The constraint pattern properties and their values are case sensitive. The constraint expression uses the following standard supported operators: ==, !=, &&, || and !.
Action Pattern	Action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, validate,amountAvailable.	actionMatchPattern
Resource Pattern	Name of the resource for which authorization checks are performed. This field accepts wildcards. For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.	resourceMatchPattern
Authorization Setting	Specifies the roles that are authorized. The valid values are: Permit All—Permit users with any roles. Deny All—Deny all users with roles. Selected Roles—Permit selected roles. To add roles: Click Add. To add roles, click the checkbox next to each role you want to add in the Roles Available column and click Move. To add all roles, click Move All. To remove roles, click the checkbox next to each role you want to remove in the Roles Selected to Add column, and click Remove. To remove all roles, click Remove All. To search for roles, enter a search string in the Role Name search box and click the go arrow. The Roles Available column is updated to include only those roles that match the search string. Click OK. To delete roles: Select the role that you want to delete in the Selected Roles list. Click Delete.	Selected Roles

Configurations

None defined.

oracle/binding_permission_authorization_template

The binding_permission_authorization_template assertion provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion.

Settings

Table C-87 lists the settings for the binding_permission_authorization_template assertion template.

Table C-87 binding_permission_authorization_template Settings

Name	Description	Default Value
Constraint Pattern	Reserved for future use.	N/A
Action Pattern	Action or Web service operation for which permission-based checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, validate,amountAvailable.	*
Resource Pattern	Name of the resource for which permission-based checks are performed. This field accepts wildcards. For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.	*
Permission Check Class	Class used for the permission-based checking. For example, oracle.wsm.security.WSFuncPermission.	N/A

Configurations

None defined.

oracle/component_authorization_template

The component_authorization_template assertion provides simple role-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.

Settings

Table C-88 lists the settings for the component_authorization_template assertion template.

Table C-88 component_authorization_template Settings

Name	Description	Default Value
Authorization Setting	Specifies the roles that are authorized. The valid values are: Permit All—Permit users with any roles. Deny All—Deny all users with roles. Selected Roles—Permit selected roles. To add roles: Click Add. To add roles, click the checkbox next to each role you want to add in the Roles Available column and click Move. To add all roles, click Move All. To remove roles, click the checkbox next to each role you want to remove in the Roles Selected to Add column, and click Remove. To remove all roles, click Remove All. To search for roles, enter a search string in the Role Name search box and click the go arrow. The Roles Available column is updated to include only those roles that match the search string. Click OK. To delete roles: Select the role that you want to delete in the Selected Roles list. Click Delete.	Selected Roles

Configurations

None defined.

oracle/component_permission_authorization_template

The component_permission_authorization_template assertion template provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.

Note:

You should be careful when using permission-based policies with EJBs as the security permissions specified in system-jazn-data.xml will be relaxed beyond a single invocation of the service operation.

Settings

Table C-89 lists the settings for the component_permission_authorization_template assertion template.

Table C-89 component_permission_authorization_template Settings

Name	Description	Default Value
Constraint Pattern	Reserved for future use.	N/A
Action Pattern	Action or Web service operation for which permission-based checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, validate,amountAvailable.	*
Resource Pattern	Name of the resource for which permission-based checks are performed. This field accepts wildcards. For example, if the composite name of the Web service is HelloWorld and the service name is Hello, the resource name is HelloWorld/Hello.	*
Permission Check Class	Class used for the permission-based checking. For example, oracle.wsm.security.WSFunctionPermission.	N/A

Configurations

None defined.

Supported Algorithm Suites

Table C-90 lists the algorithm suites that are supported for message protection. The algorithm suites enable you to control the cryptographic characteristics of the algorithms that are used when securing messages.

Table C-90 Supported Algorithm Suites

Algorithm Suite	Digest	Encryption	Symmetric Key Wrap	Asymmetric Key Wrap	Encrypted Key Derivation	Signature Key Derivation	Minimum Signature Key Length
Basic256	Sha1	Aes256	KwAes256	KwRsaOaep	PSha1L256	PSha1L192	256
Basic192	Sha1	Aes192	KwAes192	KwRsaOaep	PSha1L192	PSha1L192	192
Basic128	Sha1	Aes128	KwAes128	KwRsaOaep	PSha1L128	PSha1L128	128
TripleDes	Sha1	TripleDes	KwTripleDes	KwRsaOaep	PSha1L192	PSha1L192	192
Basic256Rsa15	Sha1	Aes256	KwAes256	KwRsa15	PSha1L256	PSha1L192	256
Basic192Rsa15	Sha1	Aes192	KwAes192	KwRsa15	PSha1L192	PSha1L192	192
Basic128Rsa15	Sha1	Aes128	KwAes128	KwRsa15	PSha1L128	PSha1L128	128
TripleDesRsa15	Sha1	TripleDes	KwTripleDes	KwRsa15	PSha1L192	PSha1L192	192

Message Signing and Encryption Settings for Request, Response, and Fault Messages

Table C-91 lists the settings for the Request, Response, and Fault messages. You configure these settings for message signing and encryption.

Table C-91 Request, Response, and Fault Message Signing and Encryption Settings

Name	Description	Default Value
Include Entire Body	Sign or encrypt the entire body of the SOAP message. If false, you can add specific body elements using the Body Elements section.	True for Request and Response messages False for Fault messages
Include SwA Attachment	Sign or encrypt SOAP messages with attachments. Note: This field is not applicable to MTOM attachments.	False
Include MIME Headers	Sign or encrypt SOAP attachments with MIME headers. Note: This field is enabled and applicable if Include SwA Attachment is enabled. It is not applicable to MTOM attachments.	False
Header Elements	Sign or encrypt the specified SOAP header elements. To add a header element: Click Add. Enter the namespace URI. Enter the local name for the header element. Click OK. To edit a header element: Select the header element that you want to edit in the Header Elements list. Click Edit. Modify the values, as required. Click OK. To delete a header element: Select the header element that you want to delete in the Header Elements list. Click Delete. When prompted to confirm, click OK.	None
Body Elements	Note: This field is available if Include Entire Body is disabled. Sign or encrypt the specified body elements. This field is applicable if the Include Body field is disabled. To add a body element: Click Add. Enter the namespace URI. Enter the local name for the body element. Click OK. To edit a body element: Select the bpdu element that you want to edit in the Body Elements list. Click Edit. Modify the values, as required. Click OK. To delete a body element: Select the body element that you want to delete in the Body Elements list. Click Delete. When prompted to confirm, click OK.	None

Management Assertion Templates

Table C-92 summarizes the management assertion templates.

Table C-92 Management Assertion Templates

Name	Description
oracle/security_log_template	Provides a logging assertion template that can be attached to any binding or component.

oracle/security_log_template

The security_log_template assertion template provides a logging assertion template that can be attached to any binding or component.

Note:

It is recommended that the logging assertion be used for debugging and auditing purposes only.

Settings

Table C-93 lists the settings for the security_log_template assertion template.

Table C-93 security_log_template Settings

Name	Description	Default Value
Request	Requirements for logging request messages. The valid values are: all—Log the entire SOAP message. header—Log SOAP header information only. soap_body—Log SOAP body information only. soap_envelope—Log SOAP envelope information only.	all
Response	Requirements for logging response messages. The valid values are the same as for Request above.	soap_body

Configurations

None defined.

No Behavior Assertion Templates

Each of the predefined no behavior policies, described in "No Behavior Policies", use the same assertion that essentially does not enforce the behavior for that category.

An assertion template is not provided for this assertion. For that reason, it is important that you do not delete the no behavior policies. If you do so, you cannot recreate them and you will need to restore the repository with the original policies. For information about restoring the repository, see "Rebuilding the Oracle WSM Repository".