This appendix describes the predefined assertion templates that you can use to construct your policies or copy to create new policies.
Note:
Oracle recommends that you do not edit the predefined assertion templates so that you will always have a known set of valid templates. You can, however, create a new assertion template from a predefined assertion template, or configure the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates".
This chapter contains the following sections:
The following sections describe the security assertion templates in more detail.
You can jump to a specific assertion template description using the following links (listed alphabetically):
oracle/http_saml20_token_bearer_client_template or oracle/http_saml20_token_bearer_service_template
oracle/http_spnego_token_client_template or oracle/http_spnego_token_service_template
oracle/http_jwt_token_client_template or oracle/http_jwt_token_service_template
oracle/http_jwt_token_over_ssl_client_template or oracle/http_jwt_token_over_ssl_service_template
oracle/wss_http_token_client_template or oracle/wss_http_token_service_template
oracle/wss_http_token_over_ssl_client_template or oracle/wss_http_token_over_ssl_service_template
oracle/wss_saml_token_bearer_over_ssl_client_template or oracle/wss_saml_token_bearer_over_ssl_service_template
oracle/wss_saml20_token_bearer_over_ssl_client_template or oracle/wss_saml20_token_bearer_over_ssl_service_template
oracle/wss_saml_token_over_ssl_client_template or oracle/wss_saml_token_over_ssl_service_template
oracle/wss_saml20_token_over_ssl_client_template or oracle/wss_saml20_token_over_ssl_service_template
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template or oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template
oracle/wss_username_token_over_ssl_client_template or oracle/wss_username_token_over_ssl_service_template
oracle/wss_username_token_client_template or oracle/wss_username_token_service_template
oracle/wss_username_token_over_ssl_client_template or oracle/wss_username_token_over_ssl_service_template
oracle/wss10_message_protection_client_template or oracle/wss10_message_protection_service_template
oracle/wss10_saml_token_client_template or oracle/wss10_saml_token_service_template
oracle/wss10_saml20_token_client_template or oracle/wss10_saml20_token_service_template
oracle/wss10_saml_token_with_message_protection_client_template or oracle/wss10_saml_token_with_message_protection_service_template
oracle/wss10_saml20_token_with_message_protection_client_template or oracle/wss10_saml20_token_with_message_protection_service_template
oracle/wss10_username_token_with_message_protection_client_template or oracle/wss10_username_token_with_message_protection_service_template
oracle/wss10_x509_token_with_message_protection_client_template or oracle/wss10_x509_token_with_message_protection_service_template
oracle/wss11_kerberos_token_client_template or oracle/wss11_kerberos_token_service_template
oracle/wss11_kerberos_token_with_message_protection_client_template or oracle/wss11_kerberos_token_with_message_protection_service_template
oracle/wss11_saml_token_with_message_protection_client_template or oracle/wss11_saml_token_with_message_protection_service_template
oracle/wss11_saml20_token_with_message_protection_client_template or oracle/wss11_saml20_token_with_message_protection_service_template
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template or oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template
oracle/wss11_sts_issued_saml_with_message_protection_client_template
oracle/wss11_username_token_with_message_protection_client_template or oracle/wss11_username_token_with_message_protection_service_template
oracle/wss11_x509_token_with_message_protection_client_template or oracle/wss11_x509_token_with_message_protection_service_template
Table C-1 summarizes the assertion templates that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header.
Table C-1 Authentication Only Assertion Templates
Client Template | Service Template | Authentication Transport | Authentication SOAP | Authentication REST | Message Protection Transport | Message Protection SOAP |
---|---|---|---|---|---|---|
Yes |
No |
Yes |
No |
No |
||
Yes |
No |
Yes |
Yes |
No |
||
N/A |
No |
No |
Yes |
No |
No |
|
No |
No |
Yes |
Yes |
No |
||
No |
No |
Yes |
Yes |
No |
||
Yes |
No |
No |
No |
No |
||
No |
Yes |
No |
No |
No |
||
No |
Yes |
No |
No |
No |
||
No |
Yes |
No |
No |
No |
||
No |
Yes |
No |
No |
No |
The http_jwt_token_client_template assertion template includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy. A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property.
Table C-2 lists the settings for the http_jwt_token_client_template assertion template.
Table C-2 http_jwt_token_client_template Settings
Name | Description | Default Value |
---|---|---|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="jwt"/> |
Authentication Header—Header Name |
Name of the authentication header. |
None |
Authentication Header—algorithm-suite |
Algorithm suite used to sign the JWT token. |
<orasp:auth-header orasp:algorithm-suite="Basic256Sha256"/" |
Authentication Header—is-signed |
Flag that specifies whether the JWT token is signed. The only valid value for JWT policies is: |
<orasp:auth-header orasp:is-signed="true"/> |
Authentication Header— is encrypted |
Flag that specifies whether the JWT token is encrypted. |
<orasp:auth-header orasp:is-encrypted="false"/> |
Table C-3 lists the configuration properties and the default settings for the http_jwt_token_client_template assertion template.
Table C-3 http_jwt_token_client_template Configuration Properties
Name | Default Values |
---|---|
audience.uri |
Audience restriction. The following conditions are supported:
Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="audience.uri" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf-key" orawsp:type="string"> <orawsp:Value>basic.credentials</orawsp:Value> </orawsp:Property> |
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
issuer.name |
Name of the JWT issuer. The default value is www.oracle.com. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> |
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
subject.precedence |
Property that specifies the location from which the subject used to create the JWT token should be obtained. If Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
user.attributes |
List of user attributes for the authenticated user to be included in the JWT token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token. Requires that the Subject is available and A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.attributes" orawsp:type="string"/> |
user.roles.include |
User roles to be included in the JWT token. If set to Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> |
user.tenant.name |
Reserved for use with Oracle Cloud. |
This oracle/http_jwt_token_service_template authenticates users using the credentials provided in the JWT token in the HTTP header.
The settings for the http_jwt_token_service_template assertion template are identical to the client version of the assertion template. See Table C-2 for information about the settings.
Table C-4 lists the configuration properties and the default settings for the http_jwt_token_service_template assertion template.
Table C-4 http_jwt_token_service_template Configuration Properties
Name | Default Values |
---|---|
trusted.issuers |
A comma-separated list of trusted issuers for an application that will override the trusted issuers defined at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.trusted.issuers" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
The http_jwt_token_over_ssl_client_template assertion template includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy. A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property.
Table C-5 lists the settings for the http_jwt_token_over_ssl_client_template assertion template.
Table C-5 http_jwt_token_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="jwt"/> |
Authentication Header—Header Name |
Name of the authentication header. |
None |
Authentication Header—algorithm-suite |
Flag that specifies the algorithm suite used to sign the JWT token. |
<orasp:auth-header orasp:algorithm-suite="Basic256Sha256"/" |
Authentication Header—is-signed |
Flag that specifies whether the JWT token is signed. The only valid value for JWT policies is: |
<orasp:auth-header orasp:is-signed="true"/> |
Authentication Header— is encrypted |
Flag that specifies whether the JWT token is encrypted. |
<orasp:auth-header orasp:is-encrypted="false"/> |
Transport Security |
Flag that specifies whether SSL is enabled. |
<orasp:auth-header orasp:require-tls/> |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
<orasp:auth-header orasp:mutual-auth="false"/> |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
<orasp:auth-header orasp:include-timestamp="false"/> |
Table C-6 lists the configuration properties and the default settings for the http_jwt_token_over_ssl_client_template assertion template.
Table C-6 http_jwt_token_over_ssl_client_template Configuration Properties
Name | Default Values |
---|---|
audience.uri |
Audience restriction. The following conditions are supported:
Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="audience.uri" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf-key" orawsp:type="string"> <orawsp:Value>basic.credentials</orawsp:Value> </orawsp:Property> |
issuer.name |
Name of the JWT issuer. The default value is www.oracle.com. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> |
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
subject.precedence |
Property that specifies the location from which the subject used to create the JWT token should be obtained. If Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
user.attributes |
List of user attributes for the authenticated user to be included in the JWT token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token. Requires that the Subject is available and A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.attributes" orawsp:type="string"/> |
user.roles.include |
User roles to be included in the JWT token. If set to Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The oracle/http_jwt_token_over_ssl_service_template authenticates users using the username provided in the JWT token in the HTTP header.
The settings for the http_jwt_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table C-5 for information about the settings.
Table C-7 lists the configuration properties and the default settings for the http_jwt_token_over_ssl_service_template assertion template.
Table C-7 http_jwt_token_over_ssl_service_template Configuration Properties
Name | Default Values |
---|---|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
trusted.issuers |
A comma-separated list of trusted issuers for an application that will override the trusted issuers defined at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.trusted.issuers" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
The http_oam_token_service_template assertion template verifies that OAM agent has authenticated the user and has established an identity. This policy can be applied to any HTTP-based endpoint.
Table C-8 lists the settings for the http_oam_token_service_template assertion template.
Table C-8 http_oam_token_service_template Settings
Name | Description | Default Value |
---|---|---|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="oam"/> |
Authentication Header—Header Name |
Name of the authentication header. |
None |
Table C-9 lists the default configuration properties for the http_oam_token_service_template assertion template.
Table C-9 http_oam_token_service_template Configuration Properties
Name | Description |
---|---|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
The http_saml20_token_bearer_client template assertion template includes SAML 2,0 tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table C-10 lists the settings for the http_saml20_token_bearer_client_template assertion template.
Table C-10 http_saml20_token_bearer_client_template Settings
Name | Description | Default Value |
---|---|---|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="saml20-bearer"/> |
Authentication Header—Header Name |
Name of the authentication header. |
None |
Table C-11 lists the configuration properties and the default settings for the http_saml20_token_bearer_client_template assertion template.
Table C-11 http_saml20_token_bearer_client_template Configuration Properties
Name | Default Values |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.attributes" orawsp:type="string"/> |
saml.issuer.name |
Issuer URI. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> |
user.roles.include |
User roles to be included. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> |
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf-key" orawsp:type="string"> <orawsp:Value>basic.credentials</orawsp:Value> </orawsp:Property> |
subject.precedence |
Set If Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
<orawsp:Property orawsp:contentType="optional" orawsp:name="saml.audience.uri" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. This key is used when generating the enveloping signature, as specified using Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
saml.envelope.signature.required |
Flag that specifies whether the bearer token is signed using the domain signature key. You can override the domain signature key using the private signature key configured using Set this flag Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.enveloped.signature.required" orawsp:type="boolean"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
The http_saml20_token_bearer_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
The settings for the http_saml20_token_bearer_service_template assertion template are identical to the client version of the assertion template. See Table C-10 for information about the settings.
Table C-12 lists the configuration properties and the default settings for the http_saml20_token_bearer_service_template assertion template.
Table C-12 http_saml20_token_bearer_service_template Configuration Properties
Name | Default Values |
---|---|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.trusted.issuers" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
saml.envelope.signature.required |
Flag that specifies whether the bearer token is signed using the domain signature key. You can override the domain signature key using the private signature key configured using Set this flag Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.enveloped.signature.required" orawsp:type="boolean"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
The http_spnego_token_client_template assertion template provides authentication using a Kerberos token and the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) protocol.
Table C-13 lists the settings for the http_spnego_token_client_template assertion template.
Table C-13 http_spnego_token_client_template Settings
Name | Description | Default Value |
---|---|---|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="spnego"/> |
Authentication Header—Header Name |
Name of the authentication header. |
None |
Table C-14 lists the default configuration properties for the http_spnego_token_client_template assertion template.
Table C-14 http_spnego_token_client_template Configuration Properties
Name | Default Values |
---|---|
service.principal.name |
Kerberos principal name that identifies the service. Default setting: <orawsp:Property orawsp:name="service.principal.name" orawsp:type="string"> <orawsp:Value>HOST/localhost@EXAMPLE.COM</orawsp:Value> </orawsp:Property> |
keytab.location |
Location of the client's keytab file. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keytab.location" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
caller.principal.name |
Client's principal name as generated using the Note: Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="caller.principal.name" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
role |
SOAP role. Default setting: <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:DefaultValue> ultimateReceiver </orawsp:DefaultValue> </orawsp:Property> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
This http_spnego_token_service_template assertion template provides authentication using a Kerberos token and the SPNEGO protocol.
The settings for the http_spnego_token_service_template assertion template are identical to the client version of the assertion template. See Table C-13 for information about the settings.
Table C-15 lists the default configuration properties for the http_spnego_token_service_template assertion template.
Table C-15 http_spnego_token_service_template Configuration Properties
Name | Default Values |
---|---|
role |
SOAP role. Default setting: <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:DefaultValue> ultimateReceiver </orawsp:DefaultValue> </orawsp:Property> |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
The wss_http_token_client_template assertion template includes username and password credentials in the HTTP header. You can control whether one-way or two-way authentication is required.
Table C-16 lists the settings for the wss_http_token_client_template assertion template.
Table C-16 wss_http_token_client_template Settings
Name | Description | Default Value |
---|---|---|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
basic |
Authentication Header—Header Name |
Name of the authentication header. |
None |
Transport Security |
Flag that specifies whether SSL is enabled. |
Enabled |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
Disabled |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Disabled |
Table C-17 lists the configuration properties and the default settings for the wss_http_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-17 wss_http_token_client_template Configurations
Name | Description |
---|---|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss_http_token_service_template assertion template uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. You can control whether one-way or two-way authentication is required.
The settings for the wss_http_token_service_template are identical to those for the client version of the assertion template. See Table C-16 for information on the settings.
Table C-18 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-18 wss_http_token_service_template Configurations
Name | Description |
---|---|
realm |
HTTP Realm. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss_username_token_client_template assertion template includes authentication with username and password credentials in the WS-Security UsernameToken header. The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
Digest passwords are not supported in this release.
Policies created using this template are not secure; it transmits the password in clear text. You should use this assertion in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, oracle/wss_username_token_over_ssl_client_template.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
Table C-19 lists the settings for the wss_username_token_client_template assertion template.
Table C-19 wss_username_token_client_template Settings
Name | Description | Default Value |
---|---|---|
Password Type |
Type of password required. Valid values are:
Note: The plaintext type is not recommended when the token propagation occurs on an unsecure channel. However, if SSL is being used as the transport channel to secure a point-to-point connection between client and server, the plaintext type can be used as the channel takes care of protecting the password. |
plaintext |
Nonce Required |
Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Notes:
|
False |
Creation Time Required |
Flag that specifies whether a time stamp for the creation of the username token is required. Notes:
|
False |
Table C-20 lists the configuration properties and the default settings for the wss_username_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-20 wss_username_token_client_template Configurations
Name | Description |
---|---|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The wss_username_token_service_template assertion template enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header. The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
Digest passwords are not supported in this release.
Policies created using this template are not secure; it transmits the password in clear text. You should use this assertion in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, oracle/wss_username_token_over_ssl_service_template.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
The settings for the wss_username_token_service_template are identical to the client version of the assertion template. See Table C-19 for information on the settings.
Table C-21 lists the configuration properties and the default settings for the wss_username_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-21 wss_username_token_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss10_saml_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.
Table C-22 lists the settings for the wss10_saml_token_client_template assertion template.
Table C-22 wss10_saml_token_client_template Settings
Name | Description | Default Value |
---|---|---|
Version |
SAML version. The only valid value is 1.1. |
1.1 |
Confirmation Type |
Confirmation type. The only valid value is:
|
sender-vouches |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
Table C-23 lists the configuration properties and the default settings for the wss10_saml_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-23 wss10_saml_token_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss10_saml_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
The settings for the wss10_saml_token_service_template are identical to the client version of the assertion, with the exception that Name Identifier Format is not present. See Table C-22 for information on the settings.
Table C-24 lists the configuration properties and the default settings for the wss10_saml_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-24 wss10_saml_token_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss10_saml20_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.
Table C-25 lists the settings for the wss10_saml20_token_client_template assertion template.
Table C-25 wss10_saml20_token_client_template Settings
Name | Description | Default Value |
---|---|---|
Version |
SAML version. The only valid value is 2.0. |
2.0 |
Confirmation Type |
Confirmation type. The only valid value is:
|
sender-vouches |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
Table C-26 lists the configuration properties and the default settings for the wss10_saml20_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-26 wss10_saml20_token_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss10_saml20_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
The settings for the wss10_saml20_token_service_template are similar to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-25 for information on the settings.
Table C-27 lists the configuration properties and the default settings for the wss10_saml20_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-27 wss10_saml20_token_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss11_kerberos_token_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
Table C-28 lists the settings for the wss11_kerberos_token_client_template assertion template.
Table C-28 wss11_kerberos_token_client_template Settings
Name | Description | Default Value |
---|---|---|
Kerberos Token Type |
Type of Kerberos token. The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API). |
gss-apreq-v5 |
Table C-29 lists the configuration properties and the default settings for the wss11_kerberos_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-29 wss11_kerberos_token_client_template Configurations
Name | Description |
---|---|
service.principal.name |
Kerberos principal name that identifies the service. Default settings:
|
keytab.location |
Location of the client's keytab file. Default settings:
|
caller.principal.name |
Client's principal name as generated using the Default settings:
Note: |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
The settings for the wss11_keberos_token_service_template are identical to the client version of the assertion template. See Table C-28 for information on the settings.
Table C-30 lists the configuration properties and the default settings for the wss11_kerberos_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-30 wss11_kerberos_token_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
Table C-31 summarizes the assertion templates that enforce message protection only, and indicates whether the token is inserted at the transport layer or SOAP header.
Table C-31 Message-Protection Only Assertion Templates
Client Template | Service Template | Authentication Transport | Authentication SOAP | Message Protection Transport | Message Protection SOAP |
---|---|---|---|---|---|
No |
No |
No |
Yes |
||
No |
No |
No |
Yes |
The wss10_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
Table C-32 lists the settings for the wss10_message_protection_client_template assertion template.
Table C-32 wss10_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Sign Key Reference Mechanism |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Encryption Key Reference Mechanism |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-33 lists the configuration properties and the default settings for the wss10_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-33 wss10_message_protection_client_template Configurations
Name | Description |
---|---|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
The wss10_message_protection_service_template assertion template provides message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The settings for the wss10_message_protection_service_template are identical to the client version of the assertion template. See Table C-32 for information on the settings.
Table C-34 lists the configuration properties and the default settings for the wss10_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-34 wss10_message_protection_service_template Configurations
Name | Description |
---|---|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default settings:
|
keystore.enc.csf.key |
The alias and password used for storing the decryption key password in the keystore. If you set this value you then can override it, as described in "Attaching Web Service Policies Permitting Overrides". If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores. Default settings:
|
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss11_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
Table C-35 lists the settings for the wss11_message_protection_client_template assertion template.
Table C-35 wss11_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
X509 Token |
||
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values include:
|
thumbprint |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Confirm Signature |
Flag that specifies whether to send a signature confirmation back to the client. |
Enabled |
Derived Keys |
Flag that specifies whether derived keys should be used. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-36 lists the configuration properties and the default settings for the wss11_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-36 wss11_message_protection_client_template Configurations
Name | Description |
---|---|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
The wss11_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
The settings for the wss11_message_protection_service_template are identical to the client version of the assertion template. See Table C-35 for information on the settings.
Table C-37 lists the configuration properties and the default settings for the wss11_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-37 wss11_message_protection_service_template Configurations
Name | Description |
---|---|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default settings:
|
keystore.enc.csf.key |
The alias and password used for storing the decryption key password in the keystore. If you set this value you then can override it, as described in "Attaching Web Service Policies Permitting Overrides". If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
Table C-38 summarizes the assertion templates that enforce both message protection and authentication, and indicates whether the token is inserted at the transport layer or SOAP header.
Table C-38 Message Protection and Authentication Assertion Templates
The wss_http_token_over_ssl_client_template assertion template includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store.
Table C-39 lists the settings for the wss_http_token_over_ssl_client_template assertion template.
Table C-39 wss_http_token_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
basic |
Authentication Header—Header Name |
Name of the authentication header. |
None |
Transport Security |
Flag that specifies whether SSL is enabled. |
Enabled |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
Disabled |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Disabled |
Table C-40 lists the configuration properties and the default settings for the wss_http_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-40 wss_http_token_over_ssl_client_template Configurations
Name | Description |
---|---|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss_http_token_over_ssl_service_template assertion template extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.
The settings for the wss_http_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table C-39 for information on the settings.
Table C-41 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-41 wss_http_token_over_ssl_service_template Configurations
Name | Description |
---|---|
realm |
HTTP Realm. Default settings:
|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss_saml_token_bearer_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table C-42 lists the settings for the wss_saml_token_bearer_client_template assertion template.
Table C-42 oracle/wss_saml_token_bearer_client_template Settings
Name | Description | Default Values |
---|---|---|
Version |
SAML version. The only valid value is: 1.1. |
1.1 |
Confirmation Type |
Confirmation type. The only valid value is: bearer. |
bearer |
Is Signed |
Flag that specifies whether the SAML token is signed. |
False |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
lists the configuration properties and the default settings for the wss_saml_token_bearer_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-43 wss_saml_token_bearer_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The wss_saml_token_bearer_service template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
Table C-44 lists the settings for the wss_saml_token_bearer_service_template assertion template.
Table C-44 wss_saml_token_bearer_service template Settings
Name | Description | Default Value |
---|---|---|
Version |
SAML version. The only valid value is: 1.1. |
1.1 |
Confirmation Type |
Confirmation type. The only valid value is:
|
sender-vouches |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value for this policy is True. |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Table C-45 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-45 wss_saml_token_bearer_service template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The wss_saml_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table C-46 lists the settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.
Table C-46 wss_saml_token_bearer_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
Version |
SAML version. The only valid value is: 1.1. |
1.1 |
Confirmation Type |
Confirmation type. The only valid value is: bearer. |
bearer |
Is Signed |
Flag that specifies whether the SAML token is signed. |
False |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
Transport Security |
Flag that specifies whether SSL is enabled. |
Enabled |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
Disabled |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Disabled |
Table C-47 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-47 wss_saml_token_bearer_over_ssl_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The wss_saml_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
The settings for the wss_saml_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-46 for information on the settings.
Table C-48 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-48 wss_saml_token_bearer_over_ssl_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss_saml20_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table C-49 lists the settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.
Table C-49 wss_saml20_token_bearer_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
Version |
SAML version. The only valid value is: 2.0. |
2.0 |
Confirmation Type |
Confirmation type. The only valid value is: bearer. |
bearer |
Is Signed |
Flag that specifies whether the SAML token is signed. |
False |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
Transport Security |
Flag that specifies whether SSL is enabled. |
Enabled |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
Disabled |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Disabled |
Table C-50 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-50 wss_saml20_token_bearer_over_ssl_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss_saml20_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
The settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-49 for information on the settings.
Table C-51 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-51 wss_saml20_token_bearer_over_ssl_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss_saml_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
Table C-52 lists the settings for the wss_saml_token_over_ssl_client_template assertion template.
Table C-52 wss_saml_token_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
Version |
SAML version. The only valid value is: 1.1. |
1.1 |
Confirmation Type |
Confirmation type. The only valid value is:
|
sender-vouches |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value for this policy is True. |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
Transport Security |
Flag that specifies whether SSL is enabled. |
Enabled |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
Enabled |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Disabled |
Table C-53 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-53 wss_saml_token_over_ssl_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The wss_saml_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
The settings for the wss_saml_token_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-52 for information on the settings.
Table C-54 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-54 wss_saml_token_over_ssl_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss_saml20_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
Table C-55 lists the settings for the wss_saml20_token_over_ssl_client_template assertion template.
Table C-55 wss_saml20_token_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
Version |
SAML version. The only valid value is: 2.0. |
2.0 |
Confirmation Type |
Confirmation type. The only valid value is:
|
sender-vouches |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value for this policy is True. |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
Transport Security |
Flag that specifies whether SSL is enabled. |
Enabled |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
Enabled |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Disabled |
Table C-56 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-56 wss_saml20_token_over_ssl_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss_saml20_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
The settings for the wss_saml20_token_over_ssl_service_template assertion template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-55 for information on the settings.
Table C-57 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-57 wss_saml20_token_over_ssl_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss_username_token_over_ssl_client_template assertion template includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
Table C-58 lists the settings for the wss_username_token_over_ssl_client_template assertion template.
Table C-58 wss_username_token_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
Password Type |
Type of password required. Valid values are:
Note: The plaintext type is not recommended when the token propagation occurs on an unsecure channel. However, if SSL is being used as the transport channel to secure a point-to-point connection between client and server, the plaintext type can be used as the channel takes care of protecting the password. |
plaintext |
Creation Time Required |
Flag that specifies whether a time stamp for the creation of the username token is required. Notes:
|
False |
Nonce Required |
Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Notes:
|
False |
Transport Security |
Flag that specifies whether SSL is enabled. |
Enabled |
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
Disabled |
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Disabled |
Table C-59 lists the configuration properties and the default settings for the wss_username_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-59 wss_username_token_over_ssl_client_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The wss_username_token_over_ssl_service_template assertion template uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
The settings for the wss_username_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table C-58 for information on the settings.
Table C-60 lists the configuration properties and the default settings for the wss_username_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-60 wss_username_token_over_ssl_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss10_saml_hok_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
Table C-61 lists the settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.
Table C-61 wss10_saml_hok_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
SAML Token Type |
||
Version |
SAML version. The only valid value is: 1.1. |
1.1 |
Confirmation Type |
Confirmation type. The only valid value is: holder-of-key. |
holder-of-key |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value is: |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Name Identifier Format is applicable only when If Specifies the type of format to be used for the name identifier. Specify one of the following values:
|
unspecified |
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
ski |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values include:
|
direct |
Recipient Sign Key Reference Mechanism |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Encryption Key Reference Mechanism |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-62 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-62 wss10_saml_hok_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
user.roles.include |
User roles to be included. Default settings:
|
saml.assertion.filename |
Name of the of the SAML token file. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
The wss10_saml_hok_token_with_message_protection_service_template assertion template enforces message-level protection and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The settings for the wss10_saml_hok_token_with_message_protection_service_template are identical to those for the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-61 for information on the settings.
Table C-63 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-63 wss10_saml_hok_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss10_saml_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
Table C-64 lists the settings for the wss10_saml_token_with_message_protection_client_template assertion template.
Table C-64 wss10_saml_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
SAML Token Type |
||
Version |
SAML version. The only valid value is: 1.1. |
1.1 |
Confirmation Type |
Confirmation type. The only valid value is: sender-vouches. |
sender-vouches |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value for this policy is: |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Sign Key Reference Mechanism |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Encryption Key Reference Mechanism |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-65 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-65 wss10_saml_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss10_saml_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
The settings for the wss10_saml_token_with_message_protection_service_template are identical to those for client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-64 for information on the settings.
Table C-66 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-66 wss10_saml_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss10_saml20_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
Table C-67 lists the settings for the wss10_saml20_token_with_message_protection_client_template assertion template.
Table C-67 wss10_saml20_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
SAML Token Type |
||
Version |
SAML version. The only valid value is: 2.0. |
2.0 |
Confirmation Type |
Confirmation type. The only valid value is: sender-vouches. |
sender-vouches |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value for this policy is: |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Sign Key Reference Mechanism |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Encryption Key Reference Mechanism |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-68 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-68 wss10_saml20_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
user.roles.include |
User roles to be included. Default settings:
|
saml.issuer.name |
Issuer URI. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
attesting.mapping.attribute |
The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies. Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss10_saml20_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.
The settings for the wss10_saml20_token_with_message_protection_service_template are similar to those of the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-67 for information on the settings.
Table C-69 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-69 wss10_saml20_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss10_username_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials are included in the WS-Security UsernameToken header in the outbound SOAP message.
The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
Table C-70 lists the settings for the wss10_username_token_with_message_protection_client_template assertion template.
Table C-70 wss10_username_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
Username Token |
||
Password Type |
Type of password required. Valid values are:
|
plaintext |
Creation Time Required |
Flag that specifies whether a time stamp for the creation of the username token is required. Notes:
|
False |
Nonce Required |
Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Notes:
|
False |
Is Signed |
Flag that specifies whether the username is signed. |
True |
Is Encrypted |
Flag that specifies whether the username is encrypted. |
True |
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Sign Key Reference Mechanism |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Encryption Key Reference Mechanism |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-71 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-71 wss10_username_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
role |
SOAP role. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
The wss10_username_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
Digest passwords are not supported in this release.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.
The settings for the wss10_username_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table C-70 for information on the settings.
Table C-72 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-72 wss10_username_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss10_x509_token_with_message_protection_client template assertion template provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
Table C-73 lists the settings for the wss10_x509_token_with_message_protection_client template assertion template.
Table C-73 wss10_x509_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Sign Key Reference Mechanism |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Recipient Encryption Key Reference Mechanism |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-74 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-74 wss10_x509_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
The wss10_x509_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The settings for the wss10_x509_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table C-73 for information on the settings.
Table C-75 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-75 wss10_x509_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss11_kerberos_token_with_message_protection_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
Table C-76 lists the settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.
Table C-76 wss11_kerberos_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
Kerberos Token Type |
Type of Kerberos token. The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API). |
gss-apreq-v5 |
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
direct |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
TripleDes |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Confirm Signature |
Flag that specifies whether to send a signature confirmation back to the client. |
Enabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-77 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-77 wss11_kerberos_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
service.principal.name |
Kerberos principal name that identifies the service. Default settings:
|
keytab.location |
Location of the client's keytab file. Default settings:
|
caller.principal.name |
Client's principal name as generated using the Default settings:
Note: |
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
The wss11_kerberos_token_with_message_protection_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
The settings for the wss11_keberos_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table C-76 for information on the settings.
None required.
The wss11_saml_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
Table C-78 lists the settings for the wss11_saml_token_with_message_protection_client_template assertion template.
Table C-78 wss11_saml_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
SAML Token Type |
||
Version |
SAML version. The only valid value is: 1.1. |
None |
Confirmation Type |
Confirmation type. Valid values include: sender-vouches. |
sender-vouches. |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
thumbprint |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Confirm Signature |
Flag that specifies whether to send a signature confirmation back to the client. |
Enabled |
Derived Keys |
Flag that specifies whether derived keys should be used. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-79 lists the configuration properties and the default settings for the wss11_saml_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-79 wss11_saml_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
saml.issuer.name |
Issuer URI. Default settings:
|
role |
SOAP role. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The wss11_saml_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
The settings for the wss11_saml_token_with_message_protection_service_template are identical to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-78 for information on the settings.
Table C-80 lists the configuration properties and the default settings for the wss11_saml_token__with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-80 wss11_saml_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss11_saml20_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
Table C-81 lists the settings for the wss11_saml20_token_with_message_protection_client_template assertion template.
Table C-81 wss11_saml20_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
SAML Token Type |
||
Version |
SAML version. The only valid value is: 2.0. |
2.0 |
Confirmation Type |
Confirmation type. Valid values include: sender-vouches. |
sender-vouches. |
Is Signed |
Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: |
True |
Is Encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
Name Identifier Format |
Specifies the type of format to be used for the name identifier. Name Identifier Format is applicable only when If Specify one of the following values:
|
unspecified |
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
thumbprint |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Confirm Signature |
Flag that specifies whether to send a signature confirmation back to the client. |
Enabled |
Derived Keys |
Flag that specifies whether derived keys should be used. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-82 lists the configuration properties and the default settings for the wss11_saml20_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-82 wss11_saml20_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
user.attributes |
User attributes related to the principal of the SAML token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. Requires that the Subject is available and Default settings:
A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. |
saml.issuer.name |
Issuer URI. Default settings:
|
role |
SOAP role. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
subject.precedence |
Set If Default settings:
|
attesting.mapping.attribute |
The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies. Default settings:
|
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The wss11_saml20_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
The settings for the wss11_saml_token_with_message_protection_service_template are similar to the client version of the assertion template, with the exception that Name Identifier Format is not present. See Table C-80 for information on the settings.
Table C-83 lists the configuration properties and the default settings for the wss11_saml20_token__with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-83 wss11_saml20_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default is |
The ws11_username_token_with_message_protection_client_template assertion template includes authentication and message protection in accordance with the WS-Security v1.1 standard.
The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.
Table C-84 lists the settings for the wss11_username_token_with_message_protection_client_template assertion template.
Table C-84 wss11_username_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
Username Token |
||
Password Type |
Type of password required. Valid values are:
|
plaintext |
Creation Time Required |
Flag that specifies whether a time stamp for the creation of the username token is required. Notes:
|
False |
Nonce Required |
Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Notes:
|
False |
Is Signed |
Flag that specifies whether the username is signed. |
True |
Is Encrypted |
Flag that specifies whether the username is encrypted. |
True |
X509 Token |
||
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values include:
|
thumbprint |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Confirm Signature |
Flag that specifies whether to send a signature confirmation back to the client. |
Enabled |
Derived Keys |
Flag that specifies whether derived keys should be used. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-85 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-85 wss11_username_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. Default settings:
|
role |
SOAP role. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
user.tenant.name |
Reserved for use with Oracle Cloud. |
The ws11_username_token_with_message_protection_service_template assertion template enforces authentication and message protection in accordance with the WS-Security v1.1 standard.
The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.
The settings for the wss11_username_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table C-84 for information on the settings.
Table C-86 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-86 wss11_username_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The wss11_x509_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Credentials are included in the WS-Security binary security token of the SOAP message. ]
Table C-87 lists the settings for the wss11_x509_token_with_message_protection_client_template assertion template.
Table C-87 wss11_x509_token_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
X509 Token |
||
Sign Key Reference Mechanism |
Mechanism used when signing the request. Valid values include:
|
direct |
Encryption Key Reference Mechanism |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
thumbprint |
Message Security |
||
Algorithm Suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
Enabled |
Encrypt Signature |
Flag that specifies whether to encrypt the signature. |
Disabled |
Confirm Signature |
Flag that specifies whether to send a signature confirmation back to the client. |
Enabled |
Derived Keys |
Flag that specifies whether derived keys should be used. |
Disabled |
Request Message Settings |
See Table C-110. |
N/A |
Response Message Settings |
See Table C-110. |
N/A |
Fault Message Settings |
See Table C-110. |
N/A |
Table C-88 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-88 wss11_x509_token_with_message_protection_client_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
ignore.timestamp.in.response |
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to Note: This property is not shown in Fusion Middleware Control. Details for adding the property are described in "Configuring User-Defined Client- or Server-Side Override Properties". |
The wss11_x509_token_with_message_protection_service_template assertion template enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. The certificate is extracted from the WS-Security binary security token header, and the credentials in the certificate are validated against the Oracle Platform Security Services identity store.
The settings for the wss11_x509_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table C-87 for information on the settings.
Table C-89 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-89 wss11_x509_token_with_message_protection_service_template Configurations
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
Table C-90 summarizes the WS-Trust assertion templates.
In this release, you can use Fusion Middleware Control to directly edit the assertion template text, but the Settings and Configurations pages are not available.
Table C-90 WS-Trust Assertion Templates
Name | Description |
---|---|
STS configuration information assertion template that is used to invoke STS for token exchange. |
|
STS configuration information assertion template that is used to invoke STS for token exchange. |
|
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template |
SOAP binding-level client assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection. |
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template |
SOAP binding-level service assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection. |
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template |
WS-Security 1.1 issued token SAML HOK token with certificates client assertion template. Provides authentication and message protection using Basic128. |
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template |
WS-Security 1.1 issued token SAML HOK token with certificates service assertion template. Provides authentication and message protection using Basic128. |
oracle/wss11_sts_issued_saml_with_message_protection_client_template |
WS-Security 1.1 issued token SAML sender voucher with certificates. Provides authentication and message protection using Basic128. |
The oracle/sts_trust_config_client_template invokes the STS for token exchange.
Table C-91 lists the settings for the oracle/sts_trust_config_client_template assertion template.
Table C-91 oracle/sts_trust_config_client_template Settings
Name | Description | Default Value |
---|---|---|
policy-reference-uri |
The client policy URI that will be used by the client to communicate with the STS. The policy you choose depends on the authentication requirements of the STS, as identified in its WSDL. |
oracle/wss10_username_token_with_message_protection_client_policy |
port-endpoint |
The endpoint of the STS Web service. For a WSDL 2.0 STS, the format is specified as For a WSDL 1.1 STS, the format is specified as |
None |
port-uri |
The actual endpoint URI of the STS port. For example. |
None |
sts-keystore-recipient-alias |
The alias of the STS certificate you added to the keystore. The default alias name is |
|
wsdl-uri |
The actual endpoint URI of the WSDL. |
None |
Table C-92 lists the configuration properties and the default settings for the oracle/sts_trust_config_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-92 oracle/sts_trust_config_client_template Properties
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The oracle/sts_trust_config_service_template invokes the STS for token exchange.
Table C-91 lists the settings for the oracle/sts_trust_config_service_template assertion template.
Table C-93 oracle/sts_trust_config_service_template Settings
Name | Description | Default Value |
---|---|---|
port-uri |
The actual endpoint URI of the STS port. For example. |
None |
wsdl-uri |
The actual endpoint URI of the WSDL. |
None |
Table C-92 lists the configuration properties and the default settings for the oracle/sts_trust_config_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-94 oracle/sts_trust_config_service_template Properties
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
This template inserts a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL.
Table C-95 lists the settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template.
Table C-95 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Settings
Name | Description | Default Value |
---|---|---|
require-applies-to |
Optional element in the RST. If present, Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS. |
True |
require-client-entropy |
If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required. |
Applies only to HOK. |
require-server-entropy |
If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required. |
Applies only to HOK. |
trust -version |
WS-Trust version. |
1.3 |
require-external-reference |
Indicates whether external reference to the token is required. |
True |
require-internal-reference |
Indicates whether internal reference to the token is required. |
True |
use-derived-keys |
Indicates whether derived keys are required. |
False |
token-type |
SAML token type. The only valid value is: 1.1. |
SAML11 |
key-type |
Key type. The only valid value is: bearer. |
bearer |
mutual-auth |
Flag that specifies whether two-way authentication is required. Valid values include:
|
False |
include-timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
True |
Table C-96 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-96 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Properties
Name | Description |
---|---|
sts.auth.user.csf.key |
Use to configure username/password to authenticate to the STS. If Default settings:
|
sts.auth.x509.csf.key |
Use to configure X509 certificate for authenticating to the STS. If Default settings:
|
on.behalf.of |
Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is When set to Otherwise, if the subject is already established, then the username from the subject will be sent as If Default settings:
|
sts.auth.on.behalf.of.csf.key |
Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists). Default settings:
|
sts.auth.service.principal.name |
Principal name for the Web service that needs to be protected. It is of the format Default settings:
|
sts.auth.keytab.location |
Location of the client's keytab file. Default settings:
|
sts.keystore.recipient.alias |
The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key. Default settings:
|
sts.auth.caller.principal.name |
Client's principal name as generated using the Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
This template authenticates a SAML bearer assertion issued by a trusted STS. Messages are protected using SSL
Table C-95 lists the settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template assertion template.
Table C-97 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-97 oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template Properties
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
This template inserts a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using proof key material provided by the STS.
Table C-98 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template.
Table C-98 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
require-applies-to |
Optional element in the RST. If present, Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS. |
True |
require-client-entropy |
If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required. |
True |
require-server-entropy |
If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required. |
True |
trust -version |
WS-Trust version. |
1.3 |
require-external-reference |
Indicates whether external reference to the token is required. |
True |
require-internal-reference |
Indicates whether internal reference to the token is required. |
True |
use-derived-keys |
Indicates whether derived keys are required. |
False |
token-type |
SAML token type. The only valid values are: 1.1 and 2.0. |
SAML11 and SAML20 |
key-type |
Key type. |
symmetric |
is-signed |
Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: |
True |
is-encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
confirm-signature |
Flag that specifies whether to send a signature confirmation back to the client. |
True |
sign-key-ref-mech |
Mechanism used when signing the request. Valid values include:
|
Thumbprint |
enc-key-ref-mech |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
Thumbprint |
encrypt-signature |
Flag that specifies whether the signature is encrypted. |
False |
sign-then-encrypt |
Flag that specifies whether the request is signed and then encrypted. |
True |
algorithm-suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
include-timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
True |
Table C-99 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-99 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Properties
Name | Description |
---|---|
sts.auth.user.csf.key |
Use to configure username/password to authenticate to the STS. If Default settings:
|
sts.auth.x509.csf.key |
Use to configure X509 certificate for authenticating to the STS. If Default settings:
|
on.behalf.of |
Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is When set to Otherwise, if the subject is already established, then the username from the subject will be sent as If |
sts.auth.on.behalf.of.csf.key |
Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists). Default settings:
|
sts.keystore.recipient.alias |
The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
keystore.enc.csf.key |
If you set this value you then can override If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores. Default settings:
|
sts.auth.service.principal.name |
Principal name for the Web service that needs to be protected. It is of the format Default settings:
|
sts.auth.keytab.location |
Location of the client's keytab file. Default settings:
|
sts.auth.caller.principal.name |
Client's principal name as generated using the Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
This template authenticates a SAML HOK assertion issued by a trusted STS (Security Token Service). Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies.
Table C-98 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template.
Table C-100 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Web Service Policies Permitting Overrides".
Table C-100 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template Properties
Name | Description |
---|---|
role |
SOAP role. Default settings:
|
keystore.enc.csf.key |
If you set this value you then can override keystore.enc.csf.key, as described in "Attaching Web Service Policies Permitting Overrides". If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
This template inserts a SAML sender vouches assertion issued by a trusted STS (Security Token Service). Messages are protected using the client's private key.
Table C-101 lists the settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template.
Table C-101 wss11_sts_issued_saml_with_message_protection_client_template Settings
Name | Description | Default Value |
---|---|---|
require-applies-to |
Optional element in the RST. If present, Oracle WSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS. |
True |
require-client-entropy |
If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required. |
Applies to HOK only. |
require-server-entropy |
If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required. |
Applies to HOK only. |
trust-version |
WS-Trust version. |
1.3 |
require-external-reference |
Indicates whether external reference to the token is required. |
True |
require-internal-reference |
Indicates whether internal reference to the token is required. |
True |
use-derived-keys |
Indicates whether derived keys are required. |
False |
token-type |
SAML token type. The only valid value is: 1.1. |
SAML11 |
is-signed |
Flag that specifies whether the SAML token is signed. The only valid value for SAML policies is: |
True |
is-encrypted |
Flag that specifies whether the SAML token is encrypted. |
False |
confirm-signature |
Flag that specifies whether to send a signature confirmation back to the client. |
True |
sign-key-ref-mech |
Mechanism used when signing the request. Valid values include:
|
Direct |
enc-key-ref-mech |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
Thumbprint |
encrypt-signature |
Flag that specifies whether the signature is encrypted |
False |
sign-then-encrypt |
Flag that specifies whether the request is signed and then encrypted. |
True |
algorithm-suite |
Algorithm suite used for message protection. See "Supported Algorithm Suites". |
Basic128 |
include-timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
True |
Table C-102 lists the configuration properties and the default settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties".
For information about overriding policies, see "Attaching Client Policies Permitting Overrides".
Table C-102 oracle/wss11_sts_issued_saml_with_message_protection_client_template Properties
Name | Description |
---|---|
sts.auth.user.csf.key |
Use to configure username/password to authenticate to the STS. If Default settings:
|
sts.auth.x509.csf.key |
Use to configure X509 certificate for authenticating to the STS. If Default settings:
|
on.behalf.of |
Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is When set to Otherwise, if the subject is already established, then the username from the subject will be sent as If |
sts.auth.on.behalf.of.csf.key |
Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists). Default settings:
|
sts.keystore.recipient.alias |
The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key. Default settings:
|
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Default settings:
|
keystore.enc.csf.key |
If you set this value you then can override keystore.enc.csf.key, as described in "Attaching Web Service Policies Permitting Overrides". If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores. Default settings:
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
Table C-103 summarizes assertion templates that are used for authorization. Each authorization assertion template must follow an authentication assertion template.
Table C-103 Authorization Assertion Templates
Service Template | Description |
---|---|
Provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. |
|
Provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level. |
|
Provides simple role-based authorization for the request based on the authenticated subject at the SOA component level. |
|
Provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level. |
The binding_authorization_template assertion template provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion template.
Table C-104 lists the settings for the binding_authorization_template assertion template.
Table C-104 binding_authorization_template Settings
Name | Description | Default Value |
---|---|---|
Constraint Pattern |
Expression that represents the constraints against which authorization checks are performed. The constraints expression is specified using the following two messageContext properties:
The constraint pattern properties and their values are case sensitive. The constraint expression uses the following standard supported operators: |
|
Action Pattern |
Action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, |
actionMatchPattern |
Resource Pattern |
Name of the resource for which authorization checks are performed. This field accepts wildcards. For example, if the namespace of the Web service is |
resourceMatchPattern |
Authorization Setting |
Specifies the roles that are authorized. The valid values are:
To add roles:
To delete roles:
|
Selected Roles |
None defined.
The binding_permission_authorization_template assertion provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion.
Table C-105 lists the settings for the binding_permission_authorization_template assertion template.
Table C-105 binding_permission_authorization_template Settings
Name | Description | Default Value |
---|---|---|
Constraint Pattern |
Reserved for future use. |
N/A |
Action Pattern |
Action or Web service operation for which permission-based checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, |
* |
Resource Pattern |
Name of the resource for which permission-based checks are performed. This field accepts wildcards. For example, if the namespace of the Web service is |
* |
Permission Check Class |
Class used for the permission-based checking. For example, |
N/A |
Table C-106 lists the configuration properties for the binding_permission_authorization_template assertion template.
Table C-106 binding_permission_authorization_template Properties
Name | Description |
---|---|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. Default settings:
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". |
The component_authorization_template assertion provides simple role-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.
Table C-107 lists the settings for the component_authorization_template assertion template.
Table C-107 component_authorization_template Settings
Name | Description | Default Value |
---|---|---|
Authorization Setting |
Specifies the roles that are authorized. The valid values are:
To add roles:
To delete roles:
|
Selected Roles |
None defined.
The component_permission_authorization_template assertion template provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.
Note:
You should be careful when using permission-based policies with EJBs as the security permissions specified in system-jazn-data.xml will be relaxed beyond a single invocation of the service operation.
Table C-108 lists the settings for the component_permission_authorization_template assertion template.
Table C-108 component_permission_authorization_template Settings
Name | Description | Default Value |
---|---|---|
Constraint Pattern |
Reserved for future use. |
N/A |
Action Pattern |
Action or Web service operation for which permission-based checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, |
* |
Resource Pattern |
Name of the resource for which permission-based checks are performed. This field accepts wildcards. For example, if the composite name of the Web service is |
* |
Permission Check Class |
Class used for the permission-based checking. For example, |
N/A |
None defined.
Table C-109 lists the algorithm suites that are supported for message protection. The algorithm suites enable you to control the cryptographic characteristics of the algorithms that are used when securing messages.
Table C-109 Supported Algorithm Suites
Algorithm Suite | Digest | Encryption | Symmetric Key Wrap | Asymmetric Key Wrap | Encrypted Key Derivation | Signature Key Derivation | Minimum Signature Key Length |
---|---|---|---|---|---|---|---|
Basic256 |
Sha1 |
Aes256 |
KwAes256 |
KwRsaOaep |
PSha1L256 |
PSha1L192 |
256 |
Basic192 |
Sha1 |
Aes192 |
KwAes192 |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
Basic128 |
Sha1 |
Aes128 |
KwAes128 |
KwRsaOaep |
PSha1L128 |
PSha1L128 |
128 |
TripleDes |
Sha1 |
TripleDes |
KwTripleDes |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
Basic256Rsa15 |
Sha1 |
Aes256 |
KwAes256 |
KwRsa15 |
PSha1L256 |
PSha1L192 |
256 |
Basic192Rsa15 |
Sha1 |
Aes192 |
KwAes192 |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
Basic128Rsa15 |
Sha1 |
Aes128 |
KwAes128 |
KwRsa15 |
PSha1L128 |
PSha1L128 |
128 |
TripleDesRsa15 |
Sha1 |
TripleDes |
KwTripleDes |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
Table C-110 lists the settings for the Request, Response, and Fault messages. You configure these settings for message signing and encryption.
Table C-110 Request, Response, and Fault Message Signing and Encryption Settings
Name | Description | Default Value |
---|---|---|
Include Entire Body |
Sign or encrypt the entire body of the SOAP message. If |
True for Request and Response messages False for Fault messages |
Include SwA Attachment |
Sign or encrypt SOAP messages with attachments. Note: This field is not applicable to MTOM attachments. |
False |
Include MIME Headers |
Sign or encrypt SOAP attachments with MIME headers. Note: This field is enabled and applicable if Include SwA Attachment is enabled. It is not applicable to MTOM attachments. |
False |
Header Elements |
Sign or encrypt the specified SOAP header elements. To add a header element:
To edit a header element:
To delete a header element:
|
None |
Body Elements |
Note: This field is available if Include Entire Body is disabled. Sign or encrypt the specified body elements. This field is applicable if the Include Body field is disabled. To add a body element:
To edit a body element:
To delete a body element:
|
None |
Table C-111 summarizes the management assertion templates.
Table C-111 Management Assertion Templates
Name | Description |
---|---|
Provides a logging assertion template that can be attached to any binding or component. |
The security_log_template assertion template provides a logging assertion template that can be attached to any binding or component.
Note:
It is recommended that the logging assertion be used for debugging and auditing purposes only.
Table C-112 lists the settings for the security_log_template assertion template.
Table C-112 security_log_template Settings
Name | Description | Default Value |
---|---|---|
Request |
Requirements for logging request messages. The valid values are:
|
all |
Response |
Requirements for logging response messages. The valid values are the same as for Request above. |
soap_body |
None defined.
Each of the predefined no behavior policies, described in "No Behavior Policies", use the same assertion that essentially does not enforce the behavior for that category.
An assertion template is not provided for this assertion. For that reason, it is important that you do not delete the no behavior policies. If you do so, you cannot recreate them and you will need to restore the repository with the original policies. For information about restoring the repository, see "Rebuilding the Oracle WSM Repository".