This chapter provides details on all the assertion template settings and configuration properties.
This chapter includes the following sections:
The following sections summarize the settings that can be set for the predefined assertion templates; settings are listed alphabetically.
Note:
Not all settings apply to all assertion templates.Action or web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.For example, validate,amountAvailable.
Algorithm suite used for message protection. See "Supported Algorithm Suites" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Name of the authentication header.
Authentication mechanism.
Valid values include:
basic—Client authenticates itself by transmitting the username and password.
Note: It is recommended that you configure SSL when using basic authentication. For more information, see "Configuring the SSL Keystore and Truststore" in Administering Oracle Mobile Security Access Server.
cert—Not supported in this release. Client authenticates itself by transmitting a certificate.
custom—Not supported in this release. Custom authentication mechanism.
digest— Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.
jwt—Client authenticates itself using JWT token.
oam—Client authenticates itself using OAM agent.
oauth2—Client authenticates itself using OAuth2 agent.
saml20-bearer—Client authenticates itself using SAML 2.0 Bearer token.
spnego—Client authenticates itself using Kerberos SPNEGO.
Expression that represents the constraints against which authorization checks are performed. The constraints expression is specified using the following two messageContext properties:
messageContext.authenticationMethod—Determines the authentication method used to authenticate the user. Valid value is SAML_SV.
messageContext.requestOrigin—Determines whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP server administrator has added a custom VIRTUAL_HOST_TYPE header to the request.
The constraint pattern properties and their values are case sensitive.
The constraint expression uses the following standard supported operators: ==, !=, &&, || and !.
Flag that specifies whether the SAML token is encrypted.
Flag that specifies whether the SAML token is signed.
Name of the resource for which authorization checks are performed. This field accepts wildcards.For example, if the namespace of the web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.
Flag that specifies whether Secure Socket Layer (SSL), otherwise known as Transport Layer Security (TLS), is enabled.
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.
Flag that specifies whether two-way authentication is required.
Valid values include:
Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.
Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.
Reserved for future use.
Reserved for future use.
The following sections summarize the configuration properties that can be set for the predefined assertion templates; settings are listed alphabetically.
Note:
Not all configuration properties apply to all assertion templates.The application name defined in OES. Value can be static or dynamic that uses ${} notation.
Flag that specifies whether to assert the user against the identity store. The default value is false, which means the user is not asserted against the identity store during STOKEN verification. This flag must be set it to true if the authorization policy is attached after the STOKEN verification policy.
Flag that specifies whether Credential Delegation with Forwarded TGT is supported. This value is false by default.
Reserved for future use.
Optional property. Action that will be used during real authorization. Value can be static or dynamic that uses ${} notation.
Requirements for logging fault messages. The valid values are:
all—Log the entire SOAP message.
header—Log SOAP header information only.
soap_body—Log SOAP body information only.
soap_envelope—Log SOAP envelope information only.
Name of the HTTP header to be inserted into outgoing HTTP headers to back-end resources.
Value of the HTTP header to be inserted into outgoing HTTP headers to back-end resources.
The alias and password used for storing the decryption key password in the keystore.
If you set this value you then can override keystore.enc.csf.key, as described in "Configuring Policy Overrides" in Administering Oracle Mobile Security Access Server.
If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores.
The alias and password used for storing the signature key password in the keystore. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. This key is used when generating the enveloping signature, as specified using saml.envelope.signature.required flag.
Name of the login error page file for example: login_error.html. This is required to display an error message when authentication failed.
Login page relative URL.
Optional property. Action that will be used during attributes lookup. Value can be static or dynamic that uses ${} notation.
The OAuth2 confidential client ID and secret used for performing OAuth2 confidential client authentication with the OAM Mobile and Social Service.
If you set this value, you can override the oauth2.client.csf.key, as described in "Configuring Policy Overrides" in Administering Oracle Mobile Security Access Server.
If you override this value, the OAuth2 confidential client ID and secret for the new value must be in the client profile. That is, even if you override the value, you still need to configure the required OAuth2 confidential client profile in the OAM Mobile and Social Service.
The OAuth2 mobile client ID used for performing OAuth2 mobile client authentication with the OAM Mobile and Social Service.
If you set this value, you can override the oauth2.mobile.client.csf.key, as described in "Configuring Policy Overrides" in Administering Oracle Mobile Security Access Server.
If you override this value, the OAuth2 mobile client for the new value must be in the client profile. That is, even if you override the value, you still need to configure the required OAuth2 mobile client profile in the OAM Mobile and Social Service.
Name of the password field in login HTML page.
Flag that specifies whether to perform preemptive authentication with back-end resources. The default value is true in the http_bmax_spnego_client_policy. This property is not supported in multitoken client policies.
Reserved for future use.
Reserved for future use.
Requirements for logging request messages.
The valid values are:
all—Log the entire SOAP message.
header—Log SOAP header information only.
soap_body—Log SOAP body information only.
soap_envelope—Log SOAP envelope information only.
Requirements for logging response messages. The valid values are the same as for Request.
Optional property. Resource name defined in OES. Value can be static or dynamic that uses ${} notation.
Optional property. Resource type defined in OES. Value can be static or dynamic that uses ${} notation.
OAuth scopes is a way to control access to resources. The value of scopes is expressed as a list of space-delimited, case sensitive strings.
Kerberos principal name that identifies the service.
Reserved for future use.
Name of the username field in login HTML page.
Optional property. Set value to true to skip lookup phase. Does not apply to masking policy.